SQLServerCentral / Editorials / SQLServerCentral.com / Password Help / Latest Posts

RE: Password Help

Gary Varga — Mon, 09 Jul 2012 23:59:27 GMT

Thanks kevin77.I was wondering if anyone had done more of the solution in SQL Server and thought that was the way to go? And if so, why?

RE: Password Help

Steve Jones - SSC Editor — Mon, 09 Jul 2012 10:55:35 GMT

96 bit salt used here (12 bytes)

RE: Password Help

kevin77 — Mon, 09 Jul 2012 10:39:29 GMT

[quote]Is there a decent article on this or have you just volunteered to write this kevin77?[/quote]Since this is a SQL site, I have to say I've never seen it done in SQL before so don't know if there are any articles. But on the client or server side, in just about any programming language, you should be able to find many examples.[quote]Our first iteration stored them encrypted, but retrievable. We removed that after a year or so and went to the hash.[/quote]Yeah, those are the two use cases. If all you ever have to do is authenticate a user, then you should store a salted hash of the user's password. If, however, you have to impersonate the user, then you have no choice but to store the user's password using two way encryption. You then have to do all you can to protect your encryption key(s).Here is sample code application in C# and attached is a Zip file of a Visual Studio 2010 solution (of course, there is nothing special about the solution, it's just the one file):[code="vb"]using System;using System.Security.Cryptography;namespace PasswordHashTest{ /// <summary>Test class shows how to hash and store a password with a salt value.</summary> public class Program { /// <summary>The number of bytes used when creating a random value (salt) to be concatinated with a /// user's password when performing a hash. Salt values help prevent reverse dictionary lookups, /// also known as Rainbow Tables.</summary> private const int PasswordSaltLength = 4; /// <summary>We'll use this variable as our data store for this example.</summary> private static string PasswordHashStoredInDatabase = String.Empty; static void Main(string[] args) { CreateAndStorePasswordHash("SqlServerCentral.com rocks!"); // Read the password entered by the user. Console.WriteLine("Please enter the password."); if (VerifyPassword(Console.ReadLine())) { Console.WriteLine("The password you entered is correct."); } else { Console.WriteLine("Incorrect password."); } // Press the Enter key to exit. Console.WriteLine("Press any key to exit."); Console.ReadLine(); } private static void CreateAndStorePasswordHash(string plainTextPasswordFromApplication) { byte[] salt = CreateRandomSalt(); // Store this string in a single column in the database. string hashedPassword = HashText(plainTextPasswordFromApplication, salt); PasswordHashStoredInDatabase = hashedPassword; } private static bool VerifyPassword(string plainTextPasswordFromApplication) { // Now you want to authenticate a user, so get the hashed password from the database based // upon the username they entered. string passwordHashFromDatabase = PasswordHashStoredInDatabase; byte[] databasePasswordBytes = Convert.FromBase64String(passwordHashFromDatabase); byte[] originalSalt = new byte[PasswordSaltLength]; // We know the salt is stored in the first bytes. Array.Copy(databasePasswordBytes, 0, originalSalt, 0, originalSalt.Length); if (passwordHashFromDatabase == HashText(plainTextPasswordFromApplication, originalSalt)) { return true; } return false; } /// <summary>Performs an SHA1 hash of the <paramref name="text"/> and <paramref name="salt"/> value /// and returns the result as a Base64 encoded string.</summary> /// <param name="text">Any text string to hash.</param> /// <param name="salt">A random array of bytes to be hashed along with <paramref name="text"/> that /// will prevent the use of reverse lookup dictionaries and 'Rainbow Tables'.</param> /// <returns>A Base64 encoded string that contains bytes of the resulting SHA1 hash of the /// <paramref name="text"/> and <paramref name="salt"/>. When decoded from Base64 to a byte array, /// the first <see cref="PasswordSaltLength"/> number of bytes represent the salt value that was /// used. This allows the hash to be stored in one field and also allows you to compare the hash /// of another text value, such as a password, to the original by sending in the new text value /// and the salt from the original hash.</returns> private static string HashText(string text, byte[] salt) { SHA1CryptoServiceProvider sha1 = new SHA1CryptoServiceProvider(); // Convert the original string to an array of bytes. byte[] textBytes = System.Text.Encoding.UTF8.GetBytes(text); // Combine the salt bytes with the text bytes. byte[] bytesToHash = new byte[salt.Length + textBytes.Length]; // The salt bytes go first, then the text bytes. Array.Copy(salt, 0, bytesToHash, 0, salt.Length); Array.Copy(textBytes, 0, bytesToHash, salt.Length, textBytes.Length); // Compute a hash of the text combined with the salt will make a unique value such that you // cannot perform a reverse lookup on the hash. byte[] hashedBytes = sha1.ComputeHash(bytesToHash); // Finally, so that we can perform comparisons on the hashed value at a later date, we will // store the salt value at the beginning of the hashed array. The salt length must be known // and remain constant. byte[] storedHashArray = new byte[salt.Length + hashedBytes.Length]; Array.Copy(salt, 0, storedHashArray, 0, salt.Length); Array.Copy(hashedBytes, 0, storedHashArray, salt.Length, hashedBytes.Length); return Convert.ToBase64String(storedHashArray); } /// <summary>Returns a random salt value returned as a integer.</summary> /// <returns>A byte array of random bytes.</returns> private static byte[] CreateRandomSalt() { byte[] saltBytes = new byte[PasswordSaltLength]; RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider(); rng.GetNonZeroBytes(saltBytes); return saltBytes; } }}[/code]

RE: Password Help

Steve Jones - SSC Editor — Mon, 09 Jul 2012 09:51:23 GMT

[quote][b]kevin77 (7/8/2012)[/b][hr]Steve, what does SqlServerCentral.com do to store passwords and authenticate users? If it's not a hash with a four or five byte salt, then I would gladly help out to fix the problem.[/quote]We use a hash, but I'll have to ask. I didn't write the routine. Our first iteration stored them encrypted, but retrievable. We removed that after a year or so and went to the hash. We do throw the login routine to SSL to limit man-in-the-middle attacks on that part of the site.

RE: Password Help

Gary Varga — Mon, 09 Jul 2012 04:12:30 GMT

[quote][b]kevin77 (7/8/2012)[/b][hr]Yet another password security breach in which the company did not use a salt value when hashing the password:[url]http://www.pcworld.com/article/258941/password_protection_101_lessons_from_the_eharmony_data_breach.html#tk.nl_dnx_t_crawl[/url]I wish I had the drive and resources to contact every company I could and teach them how to properly do this. Someone needs to get the word out.Steve, what does SqlServerCentral.com do to store passwords and authenticate users? If it's not a hash with a four or five byte salt, then I would gladly help out to fix the problem.[/quote]Is there a decent article on this or have you just volunteered to write this kevin77? ;-)

RE: Password Help

kevin77 — Sun, 08 Jul 2012 19:13:48 GMT

Yet another password security breach in which the company did not use a salt value when hashing the password:[url]http://www.pcworld.com/article/258941/password_protection_101_lessons_from_the_eharmony_data_breach.html#tk.nl_dnx_t_crawl[/url]I wish I had the drive and resources to contact every company I could and teach them how to properly do this. Someone needs to get the word out.Steve, what does SqlServerCentral.com do to store passwords and authenticate users? If it's not a hash with a four or five byte salt, then I would gladly help out to fix the problem.

RE: Password Help

Doctor Who 2 — Sat, 30 Jun 2012 07:42:18 GMT

[quote][b]Steve Jones - SSC Editor (6/29/2012)[/b][hr]The two links posted above work. There are also versions in some mobile stores. I have a port for iOS and for OSX as well.[/quote]I'm very embarrassed. I'm sorry, I hadn't noticed that you did provide links to both in your post which started this thread.

RE: Password Help

Steve Jones - SSC Editor — Fri, 29 Jun 2012 09:37:18 GMT

The two links posted above work. There are also versions in some mobile stores. I have a port for iOS and for OSX as well.

RE: Password Help

djackson 22568 — Fri, 29 Jun 2012 08:48:55 GMT

[quote][b]Doctor Who 2 (6/29/2012)[/b][hr]Just a followup question. Steve mentioned, in this article, KeePass and Password Safe. Until I read his article I'd never heard of either. So I've done a web search, and am getting results to different websites to download them. That makes me very uncomfortable.Bottom line: what's the links to both of these products, please?[/quote]http://passwordsafe.sourceforge.net/I see someone already posted the peepass.info site.

RE: Password Help

Kelly Schlueter — Fri, 29 Jun 2012 08:16:17 GMT

For KeePass:http://keepass.info/download.html

RE: Password Help

Doctor Who 2 — Fri, 29 Jun 2012 06:34:38 GMT

Just a followup question. Steve mentioned, in this article, KeePass and Password Safe. Until I read his article I'd never heard of either. So I've done a web search, and am getting results to different websites to download them. That makes me very uncomfortable.Bottom line: what's the links to both of these products, please?

RE: Password Help

Doctor Who 2 — Fri, 29 Jun 2012 06:30:35 GMT

[quote][b]kevin77 (6/28/2012)[/b][hr]But...getting back to the more root of the problem. What the hell was LinkedIn.com doing storing hashed passwords without a salt value!!!!!This isn't the first time Steve has brought this topic up. Here is my response from before:From the editorial "Should You Write Down Your Passwords?" [url]http://www.sqlservercentral.com/Forums/FindPost1017344.aspx[/url][/quote]Speaking only for myself, I've never even heard of a salt value, until the LinkedIn hack had occurred. I was surprised to see, at the time, all of the press saying that using a salt value was common practice. That may be, but I still haven't heard of it. Nor, do I admit, am I a security expert.

RE: Password Help

cksid — Thu, 28 Jun 2012 15:44:00 GMT

I use 1Password as my password program. The portability is there as the chain and the ability to use it from any computer is available in dropbox. It also has an android and Apple apps, so I can have it on my phone which I can then access my passwords to type in at a computer that is not mine.I used the program when I had an Imac, then when I went back to a PC, I made sure 1Password program went with me. I didn't want a password service that could be hacked by someone then all my passwords would be compromised. I have the program installed on my work computers but if I couldn't do that then I would use my phone app to access the passwords. It is compatible with Firefox/Chrome/Safari/IE with the extensions installed so if I got to a website that I have a password set up on, I click a button in the toolbar, 1Password asks me for my master password which I enter, then based on the website, the user name and password are entered by the program and I get logged in.The program will generate strong passwords for you and you can tell the program the length, numbers/special characters for the password.Christy

RE: Password Help

SQLBill — Thu, 28 Jun 2012 15:19:05 GMT

[quote][b]Steve Jones - SSC Editor (6/28/2012)[/b][hr][quote][b]GA Programmer (6/28/2012)[/b][hr]Having a unique password and/or login to every site is one of those eggheaded ideas that sounds great on paper but has no real practical application in the real world. [/quote]Absolutely disagree. Similar passwords on different sites is bad. A disclosure from one site means that all sites are compromised. How many people crack an XBOX, or Sarah's Cooking Site password list and then immediately start trying those accounts on eBay, Wells Fargo, etc.Use a very strong password on your manager, rotate it periodically, and rotate passwords on various sites over time. In 3 years, I've changed my Facebook password 5 times, for different reasons.[/quote]I'll add my disagreement. Most sites ask you for an email address and password. I wonder how many people provide the password to their email without thinking about it? Also, if you are using the same password everywhere...all it would take is using your email address along with the password in any site you might be a member of. I am a firm believer in separate passwords for different sites.-SQLBill

RE: Password Help

Steve Jones - SSC Editor — Thu, 28 Jun 2012 14:41:43 GMT

[quote][b]GSquared (6/28/2012)[/b][hr][quote][b]lwheeler (6/28/2012)[/b][hr]Use keepass with its stored database on a service such as Dropbox. That way it will be available from any pc.[/quote]So long as you can access Dropbox (or whatever online storage you use) from any pc, that works. But, of course, you need to have your Dropbox password, and KeePass password, memorized, changed frequently (or with high enough entropy to not require that), and so on.[/quote]Yep, change the DropBox password regularly.

RE: Password Help

Steve Jones - SSC Editor — Thu, 28 Jun 2012 14:41:00 GMT

[quote][b]GA Programmer (6/28/2012)[/b][hr]Having a unique password and/or login to every site is one of those eggheaded ideas that sounds great on paper but has no real practical application in the real world. [/quote]Absolutely disagree. Similar passwords on different sites is bad. A disclosure from one site means that all sites are compromised. How many people crack an XBOX, or Sarah's Cooking Site password list and then immediately start trying those accounts on eBay, Wells Fargo, etc.Use a very strong password on your manager, rotate it periodically, and rotate passwords on various sites over time. In 3 years, I've changed my Facebook password 5 times, for different reasons.

RE: Password Help

Steve Jones - SSC Editor — Thu, 28 Jun 2012 14:38:35 GMT

[quote][b]paul.knibbs (6/28/2012)[/b][hr]The one problem with using KeePass is that it's fine if you're only ever using these passwords from the machine where your password database is stored. Becomes more of an issue if you're on a different machine and can't access that anymore![/quote]I use Password Safe, synced from Win7 to OSX to iOS through Dropbox. Keeps my passwords everywhere I am.

RE: Password Help

SQLRNNR — Thu, 28 Jun 2012 12:29:51 GMT

I prefer to use qwerty12345

RE: Password Help

djackson 22568 — Thu, 28 Jun 2012 11:09:54 GMT

[quote][b]djackson 22568 (6/28/2012)[/b][hr]Steve,I have not used KeePass, but I do use Password Safe. It is a fine product, and the ability to have all my passwords in one place is helpful. I even have a version for home now!The funny thing is seeing the look on someone's face when they complain about having too many passwords to remember (usually around 5 or so!) and I tell them that I have more than 500 passwords I have to use. Whether their mouth shuts, or opens fully, I have yet to hear another sound after telling them that.It can be quite fun![/quote]Continuing in the vein seen previously...My password for Password Safe is "Ud*OekJchiahHudshjhDgydgcjhsdgnbfjhcbayksdfdndsgcykdsam c eyuy bewhbafjhyewbc uyewwiauh weoujfew 7fre1f 54ref1qwe6f6er46f51ew41c68er14f564qwer4f4erw54f156erd4f51ed56c165ds1c5ds1c5s0fv 5d1sf5fv1dsa51vc56ds1f56d1f561653fds" so it is unlikely anyone could break it.Seriously, one would have to know that I use it, and would have to know how I use it, and would have to hack into it, and would have to have access to the servers and systems I manage and use... Security works best by making others a target. An analogy is that when you and I are with a group in the woods and a bear attacks us, I don't have to be the fastest runner, just not the slowest. With security, just being a harder target can be helpful. We still have users who use the underside of their keyboard to store passwords. Dave

RE: Password Help

SQLBill — Thu, 28 Jun 2012 10:56:41 GMT

I have a different password for everything I log into. When I give other people advice about how to have strong and easy to remember passwords, this is what I suggest.First, use some numbers instead of letters. 1 for I, 0 for O, 3 for E, 4 for A, 5 for S, 6 for b, 9 for G. Don't use all of them, just pick one or two and use those in your passwords. So a person might pick 4 for A and 9 for G.Second, pick two or three characters that have a meaning to you.Third, use the above two with the site name. You can put the two or three characters anywhere.For example: my password for SQLServerCentral.com, might be (it's not):P9hSQLServerCentr4lP9h = Pgh - abbreviation for the city I'm originally from.It's easy to remember but not easy to guess; and meets all the normal requirements. 8 characters or more, one Uppercase letter, one lowercase, one number.Following those three easy steps, you can make a different password for every site you use. And there's very slim chance anyone else will come up with that. If the site's name is less than 8 characters (MSN.com), you can repeat the name. MSNP9hMSNP9h-SQLBill

RE: Password Help

kevin77 — Thu, 28 Jun 2012 10:14:47 GMT

But...getting back to the more root of the problem. What the hell was LinkedIn.com doing storing hashed passwords without a salt value!!!!!This isn't the first time Steve has brought this topic up. Here is my response from before:From the editorial "Should You Write Down Your Passwords?" [url]http://www.sqlservercentral.com/Forums/FindPost1017344.aspx[/url]

RE: Password Help

Miles Neale — Thu, 28 Jun 2012 09:43:49 GMT

Steve,Excellent. I will be forwarding the link and a quote from the editorial to many in the management of the company I work with as my second job. Folks do not realize the fix they can get themselves into often until it is too late. A few words of simple wisdom can save our friends and colleagues a lot of heartache, and loss.Thank you! Very clear and concise.M.

RE: Password Help

pdanes — Thu, 28 Jun 2012 09:40:02 GMT

[quote][b]djackson 22568 (6/28/2012)[/b][hr]I have not used KeePass, but I do use Password Safe. It is a fine product, and the ability to have all my passwords in one place is helpful. I even have a version for home now![/quote]I'd still be leery about that. What if someone gets into your password account? All eggs in one basket...

RE: Password Help

djackson 22568 — Thu, 28 Jun 2012 09:31:25 GMT

Steve,I have not used KeePass, but I do use Password Safe. It is a fine product, and the ability to have all my passwords in one place is helpful. I even have a version for home now!The funny thing is seeing the look on someone's face when they complain about having too many passwords to remember (usually around 5 or so!) and I tell them that I have more than 500 passwords I have to use. Whether their mouth shuts, or opens fully, I have yet to hear another sound after telling them that.It can be quite fun!

RE: Password Help

pdanes — Thu, 28 Jun 2012 09:28:40 GMT

I use a system of passwords, generated according to a fixed set of rules, that are easy to remember but impossible to guess. It's easy enough to think up such a system and adhere to it. I use one password from the system for all junk accounts that require me to log in, but where I have no data of any real value, like this one. For all others, I use unique passwords from the system and have never had any trouble using or remembering, and have never had an account hacked.The trick is to use stuff that means something to you, but even people who know you would not be able to guess. For instance, if you're a football freak, the name of the team, combined with the jersey number and name of the quarterback, separated by plus signs, second and next-to-last letter of the team name capitalized, first and third letter of the QB's name capitalized, e.g. cOwboYs+9+RoMo.No password guesser will ever hit something like that, nor will it be in any list of commonly used passwords, and your memory cue, which you can even safely write down is simply 'Dallas'. You adhere to the rules, which you can make as complex as you like, and the simple cue will give you the jog needed to reconstruct the password any time you need it, without actually having to remember it. It needn't be football, and isn't for me - I have very little interest in the game, but if you use something that DOES interest you, and contains such things that you remember without trying, BECAUSE it interests you, you will have an extremely safe and extremely easy to use system for creating and using secure passwords.

RE: Password Help

Kelly Schlueter — Thu, 28 Jun 2012 09:26:44 GMT

I use KeePass and encourage it's use to anyone I help out who runs into password troubles.In terms of portability, there are versions for almost every platform out there, including phones. So if you can't use a flash drive have it on your phone. Yes, it's definitely harder to transcribe it from your phone, but it's manageable.If you are concerned about one file having all you passwords, then break it in to two files one for high security and one for low security. The other option is to just make this one of your handful of really secure passwords that you simply need to remember to get in to your "machines". Machine login(s) and then your password safe login.I have two files one for work and one for home, both are relatively secure passwords. To mitigate the possibility of losing everything with one file, I have a self enforced process of syncing the password file from my computer to my flash drive every time I change my password. For work, this has bailed me out twice after changing my login password which IT requires relatively high complexity and way too frequent of changes. I didn't end up using it enough that day that I changed it and muscle memory was still on the previous password. I came in the next day and blanked. Fortunately it was easy enough to bring up KeePass on a different computer and check my password. That has helped cement my process to ensure I have it synced after a password change.

RE: Password Help

GSquared — Thu, 28 Jun 2012 08:52:34 GMT

[quote][b]lwheeler (6/28/2012)[/b][hr]Use keepass with its stored database on a service such as Dropbox. That way it will be available from any pc.[/quote]So long as you can access Dropbox (or whatever online storage you use) from any pc, that works. But, of course, you need to have your Dropbox password, and KeePass password, memorized, changed frequently (or with high enough entropy to not require that), and so on.

RE: Password Help

lwheeler — Thu, 28 Jun 2012 08:48:13 GMT

Use keepass with its stored database on a service such as Dropbox. That way it will be available from any pc.

RE: Password Help

Doctor Who 2 — Thu, 28 Jun 2012 08:27:13 GMT

Good topic, Steve, and a tough one. I just don't see a clean, easy, solution, although I do appreciate your listing those 2 password managers (I've never heard of either). Each solution I see has problems. I could put all my accounts and passwords onto my phone; but what if my phone gets stolen. I could use one of these 2 password managers; but what if the program or its database gets corrupted, my hard drive fails, etc? My wife said that paper day planners have a section for this very purpose; but what if that gets stolen? I could write everything down in a small notebook; but what if I loose that? I'll be interested to see how this conversation plays out.

RE: Password Help

GA Programmer — Thu, 28 Jun 2012 08:17:52 GMT

Not only do you need to be able to access the password manager, but if someone cracks your password manager password, they a) have a list of every online account you have and b) now have access to every one of them.Having a unique password and/or login to every site is one of those eggheaded ideas that sounds great on paper but has no real practical application in the real world. I know I easily have over 100 online accounts in one form or another - there is no way that I could possibly have 100 passwords that I could remember. I would rather they have access to a small subset of my passwords than all of them!

RE: Password Help

Gary Varga — Thu, 28 Jun 2012 06:59:21 GMT

[quote][b]William Soranno (6/28/2012)[/b][hr]I have the self contained version of KeyPass installed on my flash drive I carry with me. That way I can run the program from the flash drive no matter what computer I happen to be using.[/quote]...and therein lies the crux of the matter. The solution cannot be based on something that people are not allowed to use in all circumstances. I am often on client sites where I would be immediately escorted offsite (after a serious grilling and an inspection of the machines used, if not me physically) if I tried to install software or plug in a USB key.I thought that a federated security system would do it but no. Every site has to hand roll their own security.To keep the theme going the password that I use is "1fY0uB3l13v3Th1sTh3nY0uAr3..." ;-)

RE: Password Help

Steph Locke — Thu, 28 Jun 2012 06:57:43 GMT

We are rolling out an intranet AD-auth password store after increasing numbers of us have started using keepass and one or two other password stores in work. This will really help educate users on the practice of having stronger, more varied passwords.I have one password that I use variations of for most day to day things, but then I randomly generate passwords for sites where security is more important and these all go in keepass. My keepass has a passphrase and key to access it with the database file and the key stored in dropbox folders. I'm a bit paranoid about passwords so I often play coy about naming where the login is for so that even if someone cracked the database files (which I worry about with a program where the code is downloadable and interragatable) they still would have to work a fair bit to match the logins to the right site and all my banking sites have a further auth step which isn't ever stored on my keepass.

RE: Password Help

chrisn-585491 — Thu, 28 Jun 2012 06:49:26 GMT

I'm not surprised.I knew a couple of years ago that Linkin was going to have security issues considering their lack of response to several rounds of spam and other annoyances, I canceled my account. Like 90% of security problems, this is a management issue.

RE: Password Help

William Soranno — Thu, 28 Jun 2012 06:47:13 GMT

I have the self contained version of KeyPass installed on my flash drive I carry with me. That way I can run the program from the flash drive no matter what computer I happen to be using.

RE: Password Help

jims-723592 — Thu, 28 Jun 2012 06:30:11 GMT

Keepers are fine, if you careFor LinkedIn? My PW is password (or Passw0rd, if they are more pesky)For my Bank login? password isn't gonna go there, that's where I use a keeper90% of my passwords are Passw0rd or password, cause I just find it an annoyance, and really don't care And yes, Facebook is one of them.... All the social "junk", pretty much all that don't hit my bank account (With financial impact, view only, back to password...)I'd prefer something other than a password to authenticate, possibly a "Global Id" linked to the smart phone (And yes, there are downsides and privacy concerns, many could be worked around) If I could just link up my computer with my phone, and just surf... Let them work out one time codes that identify me. No annoying "log in to whatever", just keep going

RE: Password Help

paul.knibbs — Thu, 28 Jun 2012 06:14:48 GMT

The one problem with using KeePass is that it's fine if you're only ever using these passwords from the machine where your password database is stored. Becomes more of an issue if you're on a different machine and can't access that anymore!

RE: Password Help

call.copse — Thu, 28 Jun 2012 04:17:08 GMT

I did try using passphrases myself at some point (http://xkcd.com/936/) however unfortunately when you get to that length it typically takes 3 tries on a good day to type the things out right. Guess I'll have to stick to using 'password' everywhere - no-one will guess anything that obvious.

RE: Password Help

marlon.seton — Thu, 28 Jun 2012 01:47:54 GMT

It's so much easier to use long and intricate passwords if you can type.

Password Help

Steve Jones - SSC Editor — Wed, 27 Jun 2012 21:23:06 GMT

Comments posted to this topic are about the item [B]Password Help[/B]