Is Discussion of Password Problems Really Reprehensible?

[Robbyrobot]

Although I can understand a ban on discussion of cracking passwords in a public forum like this one in view of the possible legal ramifications (responsibility), the holier-than-thou attitudes some people display on this subject really get me riled.

I've never had any password problems, with laptops or desktops, for the simple reason that I don't use them, I don't like them and I consider them an unnecessary risk to the legitimate owner who is, after all, a fallible and forgetful human being.

Over the years, I've seen far too many cases of people who have, without thinking, set a password, forgotten or misplaced it and then desperately tried to remove it to regain access to their own property. People who act as if they were the moral judges of the universe are the last thing they need in such a situation.

As most forum participants doubtless know, there are places where help is available - and not only for a great deal of money. Wouldn't it be better to mention them here than to leave people who are affected by such problems out in the cold?

I'd like to start a general discussion on this subject and hear the pros and cons.

[rkawakami]

The main "con" about discussing the password issue in publc is that the site does not want to be in the position of dispensing any information about the hows and whys to a potential crook or thief. As outlined in the FAQ, item#12, it is a highly-charged subject with good points and bad points on BOTH sides of the issue. A recent discussion was held "off-line" with some of the mods and admins about this subject and the decision was made to maintain the ban. There is no ban on discussing anything via PM.

As you do not use passwords then you certainly know that if your system was ever stolen or lost, whoever grabbed/found it, would have access to everything on it. If you are comfortable with that, then that's your choice. I have been a victim of a stolen laptop. In 2002 while on vacation in Australia I lost my laptop, money, plane tickets, passports, video tapes, flash cards, wine, batteries, battery chargers and more. I now choose to use both the supervisor and hard disk passwords on the system(s) which leave my house on a regular basis. I would like to make it as hard as possible for any unauthorized person to get at my data. I'm not so much worried about the laptop itself; to me the information on the hard drive is more important. As you pointed out, there are places where help is available. I'm sure that if the person is able to find this site, they can find others just as well.

[Robbyrobot]

As you pointed out, there are places where help is available. I'm sure that if the person is able to find this site, they can find others just as well.

People who forget or misplace passwords are not experts, Ray. And finding this site is a great deal easier than finding the sites you and I are aware of. My fear is that the people who need such information the most have the least access to it.

[rkawakami]

I understand. Somebody may have a legitimate problem with a forgotten password. Or they may be a victim of a prank gone wrong. Or they may be a lazy thief looking for an easy solution. As it's hard to determine which is the truth in a forum such as this, I'm afraid that for now, the site has taken this stance. If somebody were to come to the site and ask for help, there's nothing preventing somebody else from responding to that plea via a PM. All we ask is that public discussion be avoided.

edit: Had to think carefully about this additional response.... If, as you say, the person who has forgotten their own password is not an "expert", then I would say they would not be able to do anything by themselves anyway. Most likely they would not have the skill sets required, nor the equipment on hand; somebody else would have to do the work for them. That leads to the "services" that have been around for some time now. Anybody who knows their way around a web browser can find them. And that's about all I can say on the subject.

[Robbyrobot]

Turning the argument around, what "lazy thief looking for an easy solution" would be interested in doing the kind of thing necessary to remove a supervisor password? That's nothing for the lazy, at least not in my books.

And why shouldn't your own - very good - description of how to read out a supervisor password be mentioned here, except for legal (responsibility) reasons? At best it could help someone with a problem and (if necessary) a helpful friend to eliminate a problem. At worst it's a useless add-on that might endanger the website if some wild-eyed lawyer were to find it.

But enough of that for now from you and me... now I'd like to hear some other voices.

[carbon_unit]

At worst it's a useless add-on that might endanger the website if some wild-eyed lawyer were to find it.

There is a big problem. We are not going to endanger this website over password cracking information.
IBM put the password ability there for a reason, not just to be an obstacle for legitimate users.

If a person is totally against passwords then they should not use them, but then you run the risk of someone else setting one that you don't know. I recommend that password shy people use a simple password such as their screen name, phone number or their SSN because it is almost impossible to forget and the presence of any password presents a problem to the prankster or common thief. A determined thief will get to your data without our help.
Properly protecting your Thinkpad is really your responsibility not ours. Using passwords properly falls into that category.

[GomJabbar]

I just a brought a IBM T30 off the streets ! I am going to tell the truths ! I am not going to make anything up! Well, when I boot up the computer it is lock! It show a symbol of a computer and a lock. Is there a way to go around this and bypass the password so I can login?? the Thinkpad looks very good so I am wondering if someone can help me out?? Let me know !

The above quote is somewhat obvious. The thread develops below:

Sounds like you got a 'HOT' deal! Too bad about your problem though.

Yeah, I know !! but the laptop is in a good condition and I don't have money to buy a new one so this is the best I can do for myself !

Not all thiefs and buyers of stolen merchandise are as stupid as this one when trying to get help. They can be quite clever in concocting a story that sounds legitimate. This can make the average reader want to help - when they really shouldn't.

If remembering a password is really critical, that password creator is usually smart enough to take steps to safeguard it. A more casual user may lose documents, family photos, music downloads, and the use of their computer, but this is really more of an inconvenience than anything.

To paraphrase Forrest Gump:

Properly protecting your Thinkpad is really your responsibility not ours. Using passwords properly falls into that category.

Well said

[JaneL]

Although I can understand a ban on discussion of cracking passwords in a public forum like this one in view of the possible legal ramifications (responsibility), the holier-than-thou attitudes some people display on this subject really get me riled.

Well, here's my holier-than-thou attitude. We've been down this road many times over the years both here and on the mailing list, and a change in the guidelines for this is not up for discussion.

[Robbyrobot]

If a person is totally against passwords then they should not use them, but then you run the risk of someone else setting one that you don't know.

This is a reasonable comment, and in the case of HDDs applies to ALL IDE drives, not only those in laptops.

Some years ago, the German computer magazine c't pointed out that all IDE hard drives, not merely the ones used in laptops, accept a password - meaning that the possibility to be locked out of your hard drive by malicious setting of a password exists even in a normal desktop computer. It seems this ability is included in the IDE specification, but is little known and used except in laptops. c't pointed out the potential danger of malware that would password the HDD in a victim's system and then demand a "ransom" to remove it.

This ability to set a password can be "locked" so that no password can be set, and in fact c't offered a utility to do just that, to be put into the boot sequence of the computer. But the locking command must be repeated every time the HDD is powered up, since it is not permanent. Only a BIOS set up to deal with HDD passwords would offer a permanent solution, and in desktop computers this was rare at the time the c't article appeared.

Up to now, the potential danger c't pointed out hasn't materialized, but the potential remains. And although c't in its report advised desktop computer BIOS manufacturers to implement HDD password controls so that HDD passwords could only be set intentionally and by a conscious action of the owner, I have not read anything further on this subject.

If anyone is interested - and can read German - I'll look up the article and provide a link.

Moderator edit: Link to English version of c't article

[dsigma6]

To me, it's like asking how to hot wire a car on an automotive forum. Why are we having this discussion??