How to pass password to a password input?

For example, I need to connect to a rpcclient which have the password of admin. Basically I want to connect to the server with a single line, e.g:

echo 'admin' | rpcclient -U '' x.x.x.x 

when I do above, I get:

root@kali:/home# echo 'admin' | rpcclient -U '' x.x.x.x Enter WORKGROUP\'s password:   root@kali:/home# 

Notice, there is no rpcclient connection established, but if I do this manually It works just fine, see below:

root@kali:/home# rpcclient -U '' x.x.x.x Enter WORKGROUP\'s password:  rpcclient $  > 

Ubuntu 18.04 | Reset password asking me to Retype new password twice. libpam-pwquality

I recently tried to implement a password policy (at least one digit, upper case, lowercase, a special character) using the libpam-pwquality module. After that, the system asks me to retype password twice whenever I try to reset the password. Not sure if I modified the configuration file correctly. Did I made any mistake in the configuration file “common-password”. Someone, please help me out.

Logged in as user:

$   passwd Changing password for testuser. (current) UNIX password: Enter new UNIX password: Retype new UNIX password: Retype new password: passwd: password updated successfully 

$   passwd testuser Enter new UNIX password: Retype new UNIX password: Retype new password: passwd: password updated successfully 

my common-password file:

# # /etc/pam.d/common-password - password-related modules common to all services # # This file is included from other service-specific PAM config files, # and should contain a list of modules that define the services to be # used to change user passwords.  The default is pam_unix.  # Explanation of pam_unix options: # # The "sha512" option enables salted SHA512 passwords.  Without this option, # the default is Unix crypt.  Prior releases used the option "md5". # # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in # login.defs. # # See the pam_unix manpage for other options.  # As of pam 1.0.1-6, this file is managed by pam-auth-update by default. # To take advantage of this, it is recommended that you configure any # local modules either before or after the default block, and use # pam-auth-update to manage selection of other modules.  See # pam-auth-update(8) for details.  # here are the per-package modules (the "Primary" block) password        requisite                       pam_pwquality.so retry=3 ocredit=-1 dcredit=-1 ucredit=-1 minlen=8 password        [success=1 default=ignore]      pam_unix.so obscure sha512 # here's the fallback if no module succeeds password        requisite                       pam_deny.so # prime the stack with a positive return value if there isn't one already; # this avoids us returning an error just because nothing sets a success code # since the modules above will each just jump around password        required                        pam_permit.so # and here are more per-package modules (the "Additional" block) password        optional        pam_gnome_keyring.so # end of pam-auth-update config 

Password checking implementation: delay on unsuccessful attempts [duplicate]

This question already has an answer here:

  • Should I implement incorrect password delay in a website or a webservice? 4 answers

What would be wrong with the username/password checker where the response is instantaneous for valid attempts but a pre-built time delay (say 1 sec) is used for unsuccessful ones? It would not slow down legitimate users, but would obviate the need for key derivation functions, and thwart the timing attacks. Can someone critique please?

How difficult to bruteforce KeePass KDBX4 master password?

How difficult to crack a KeePass file which use KDBX4 file format if someone only obtain the file without knowing any hint of the master password?

With assumption the password length is equal/more than 20 character, uses lower cases, upper case, number & non-alphanumeric character on QWERTY keyboard.

P.S. i know there’s similar question at How difficult to crack keepass master password?, but it was created before KDBX4 released

Is it a good idea to store TOTP tokens in a (synchronised) password safe?

Bitwarden (as an example) allows you to store your TOTP tokens in it. That is: you can use the mobile app to scan the QR code that (e.g.) Amazon AWS gives you, and then it’ll generate TOTP codes.

So far, so exactly the same as Google Authenticator and similar.

Bitwarden synchronises your “vault” (to their servers by default; you can install your own server), including the TOTP … stuff. This means that your credentials (including TOTP codes) are available on all of your associated devices.

Is that a good thing, from a security point of view? It’s definitely convenient — I just got a new phone, and resetting all of my MFA tokens is … not a pleasant use of my time.

Is it a good idea to store TOTP tokens in a (synchronised) password safe?

Bitwarden (as an example) allows you to store your TOTP tokens in it. That is: you can use the mobile app to scan the QR code that (e.g.) Amazon AWS gives you, and then it’ll generate TOTP codes.

So far, so exactly the same as Google Authenticator and similar.

Bitwarden synchronises your “vault” (to their servers by default; you can install your own server), including the TOTP … stuff. This means that your credentials (including TOTP codes) are available on all of your associated devices.

Is that a good thing, from a security point of view? It’s definitely convenient — I just got a new phone, and resetting all of my MFA tokens is … not a pleasant use of my time.

Should a browser make its own password manager?

I’m trying to figure out if products such as Firefox’s Lockwise are a superb idea or a terrible one.

On the one hand, installing a third-party addon to your browser comes with inherent risks, so cutting out the middle man and using a password manager made by the browser manufacturer could be seen as having less risk.

On the other hand, keeping passwords in the browser has historically been seen as very insecure (at least back when nobody encrypted them), and using a tried-and-true password manager that has had bug bounties on it for years and held up to a lot of pentesting could be advantageous, and browser manufacturers might not be specialized in the type of security necessary for password management (in-browser products might be seen as roll-your-own solutions).

Are there any risks I’m missing? What might (or ‘does’ if you would like to speak to this specific case) mitigate the risks?