passwords's questions - English 1answer

2.912 passwords questions.

I don't know why do we authenticate by prompting the user to enter both username and password. In my mental model, prompting password only suffices. The reason is as follows: Assume there are x ...

This is a really basic question, but I'm a newbie in security. What I'm wondering is: How do I share a password for an encrypted document in a FIPS 140-2 compliant manner? That is, say I have a PDF, ...

For the purposes of security, is there any difference in having a 50 character randomly-generated secret username accompanied by a 50 character randomly-generated secret password, versus a 100 ...

At a company I worked at, I had to change my password every 90 days and I could only reuse a password after 8 iterations. This no-reusal included passwords being too similar to the old one, e.g. when ...

I found a site which is taking password letters from their users not the whole password. Is this secure? Or do they have saved password as salted hash (MD5)?

Regarding the PHP function password_verify(), how is the "unhashed" random salt derived from the output of password_hash(), given that hashing functions are deterministic? It seems to me that, if the ...

Upon setting up app-passwords, Google sends a mail: This app password will allow you to access your Google account from a device or application that can only be configured with a username and ...

I need to generate a list of passwords to try penetrating into a wi-fi network. I have a pretty big list of keywords and I want to use them to generate as many possible passwords as possible, which ...

How to store salt?

6 answers, 109.899 views passwords hash salt
Nowadays, if we expect to store user password securely, we need at least do the following thing: $pwd=hash(hash($password) + salt) then store $pwd in your system instead of the real password. I have ...

The file key3.db contains the key that is used to encrypt the Firefox passwords stored in logins.json file. I don't use master password in Firefox, but according to this article, my passwords are ...

Is there an obvious flaw with this hashing function (written in PHP)? function hash($password) { sleep(1); // Make hashing slow $hash = ""; $iterations = strlen($password); for ( $i = 0; $i &...

I just tried to reset my password on radioooooo.com. I didn't really pay attention to firefox's warnings because I'm used to see them on our intranet at work, but I think that when clicking the "OK" ...

I have some specific problem. Is there any possibility how to find out Wi-Fi password with dictionary attack without connecting to the Wi-Fi? I need it for my bachelor thesis, where I am using ...

I always hear "A long password is good, a longer password is better". But is there such a thing as a "Password is so long it is becoming unsafe" or "Password is long enough, making it longer won't ...

Recently I logged into my Facebook account and then noticed that my caps lock was on. So I tried to log in again with and without capslock on. I got in both times. Then I tried to log in with the ...

So, I wanted to make a login system with PHP, and basically what it would do would be to have a file for usernames and a file for passwords so when a user tries to log in, it just gets information ...

So, I was thinking about workarounds for saving passwords in text files (just because I'm curious), and I thought, what if I saved my file somewhere that is non-accessible? My server has a public_html ...

I found this presentation how Facebook stores customer passwords and how they do authentication. This slide shows how they hash passwords: Is it a good idea to do such operations with a raw password?...

OWASP recommends this practice and so do some other companies. I think it makes sense at first glance but if you think about it, it actually limits entropy instead of increasing it. How many ...

For example, OWASP considers 10-128 characters, with lower, upper, digit, and special characters (I don't get why there's an upper limit). Using the OWASP's minimum guidelines and assuming there are ...

I have almost finished developing my login system and there is one more thing that I'm not sure about. So many debates I found on the internet about counting invalid logins and locking users account. ...

For the record, this was purely for learning purposes, I've been told don't even use this for a personal website that I don't expect anyone to visit, so this post is unfortunately the last I'll see of ...

My connection.php file stores the credentials to connect to the database: <?php $objConnect = mysql_connect("localhost","username","password"); mysql_select_db("selectDB", $objConnect); ?...

If I am an attacker and I just ex-filtrated the web-based user database via SQL injection (including the per user salt) and I want to target ONE password of interest, what are the steps given: I ...

I'm a rookie when it comes to Information Security so I've been reading a lot of the top questions on this stackexchange for the sake of learning. I came across this question that discusses hashing. ...

User registers account on a web app. Passwords are salted and hashed. But is it safe to check the password against the HIBP Pwned Passwords API, before salting and hashing it? Of course the app uses ...

My understanding of Have I Been Pwned is that it checks your password to see if someone else in the world has used it. This really doesn't seem that useful to me. It seems equivalent to asking if ...

Background I am designing a multi-player game with a single server that handles multiple worlds. Each player logs into the server initially before requesting which world to join. The server has a ...

I have a single account for a very popular website. I noticed that certain variations of my set password will successfully log me in. I have tested the variations on 3 separate browsers and all have ...

Let's assume following workflow for logging in a) On a device with keyboard: I type my username and password Press enter [realization] I made a typo Password field is cleared: not a big deal, I can ...

I have seen examples of password hashing that were: H(username + salt + password). What is the purpose of adding username? Is there any purpose?

In recent years there have been a number of spectacularly huge hacks. As examples: The 2013-14 hack of Yahoo involving 3 billion accounts The 2016 hack of Adult Friend Finder involving 400+ million ...

Recently my account in a social network has been attacked. The attacker managed to break the password, but thanks to the 2-factor auth, that wasn't enough to access the account. I have received a ...

I've been trying to answer the following question but can't seem to find a clear answer... When a user resets their password after forgetting it, should they be allowed to change it to the password ...

There are two sides of password complexity, the administrator's side and the users' side. They are effectively disjointed requirements. Good complexity and policies of passwords are discussed often. ...

I am trying to learn how john works. I made a password-protected rar archive, and written that password inside a file named pass.txt. I used rar2john to build the hash: # more test.hash test.rar:$...

I've been trying to look for the answer, but the latest one I found was outdated by three years. So what are the recommended scrypt cost factors for 2016?

I have a Windows application that does not use a database and is not on the Internet. It contains very important data (data loaded from encrypted files). The user needs a password to enter this ...

I'm careful to use strong passwords (according to How Big is Your Haystack, my passwords would take a massive cracking array 1.5 million centuries to crack), I don't reuse passwords across sites, and ...

For a lot of web services offering two factor authentication, after setting up the system, you are given a short list of backup codes (one-time pads) that are around 7-10 characters long. These are ...

I have a simple API which I want to limit users using a key. For each request, the users will need to post the key and the other parameters. For example in R: res <- httr::POST( "api-url", ...

It's still commonly recommended way of hashing passwords, even if its insecurity had been proven in 1996: Therefore we suggest that in the future MD5 should no longer be implemented in applications ...

Concept The goal of a password manager is to reduce the number of passwords which one must memorize down to one, and then have all other passwords be encrypted under that master password. My solution ...

I am working on an App that has a login page with a field for username and password, if the password is entered correctly it then asks for the users pin (4-digit code). My question, does having a pin ...

See this question/answer first: When calling a process from another process, Is sending stdin password more secure than sending an ENV variable? I am a Java developer that is building an app where ...

My Yahoo account shows no suspicious activity, only log-ins from my desktop and 2 of my devices. But a friend was spammed twice within a short time today from my email address. I use Yahoo's Account ...

IT workers are usually trusted by their family members who readily share passwords (Facebook, email, twitter, you-name-it!) so they can get easy help to set what-ever-parameter they don't find or ...

Keeping things vague - I work at a company that handles compliance issues for our clients. Very often, this means we need to log onto their various accounts for various entities. We store their ...

Referring to Why do I need a strong password for my home computer and How often should I change my Mac password, am I to safely assume that: Local passwords are, in fact, only for protecting against ...

So I am trying to find out how easy it is to crack a password using some great Linux tools. We all know about John as a password cracker and how great it is. But how about specifying a pattern. Let'...

Related tags

Hot questions

Language

Popular Tags