combining 2 or more password lists with crunch

how can i combine 2 or more password lists together like for example i have a passlist with names and a passlist with numbers so i wanna combine them like putting all the numbers in front or after the names

passlist1 contains too many names for example david-larry-kevin … passlist2 contains numbers 123-347-897672 and … then combine these 2 password lists together for something like dadvid123 david347 david897672 larry123 larry347 and … this is clear i want to combine two or more password lists together in crunch ,also no need to scripting tnx in advance

Unable to reset my Bithumb password

Are you dealing with password issues in your Bithumb   account? Most of the users are in habit of forgetting their password but unable to reset it and get into trouble? So, stop putting yourself in any serious blunder and get directly in touch with the experts by dialing   Bithumb  Support  number  +1888-266-1754 immediately. The experts will provide end to end assistance to the users and are capable enough to erase your issues in short time with accuracy.2270 West Fork Drive
Miami, FL, (USA) 33179

Admin able to set new plaintext user password – security problem?

So I am working on this application that can be deployed and run by anyone on their server. Most often it is run as a web service. In our new version we removed the possibility for admins to set and view a user´s new password in the account management. (The old password was never visible as there was only a salted hash of it).
The new password reset process uses now a reset link via email to the user. The reasoning from our side was that the password is supposed to be a user-only known secret so his identity can be verified as part of the authentication process. So: user receives email with reset link, sets his password, hash is stored in the database, all good. The admin never would get a glimpse of the password itself. If an admin could see the new password (like before), the password is not just knowledge of the user and would lose its value as a means of verifying identity. So far to the idea.

Some complaints came in that this would undermine the admin role and that it would be admin´s choice if they want to provide a system that would have this strict authentication part or not. While I can partly relate to that argument, my argument is that the user himself cannot see how the system is configured but rather expects a real authentication in place. Many users dont see the potential risks of someone else knowing their password. Another complaint was the strong reliance on email (which probably could be mitigated by using other means like authenticator apps).

How do you see this?
– Is this not a standard procedure for password resets?
– Should this be a configurable part like “allow admin to set new password”? – What do you think about allowing the admin to set at least an initial password for users that has to be changed on next login, communicating this initial pw out of band to the user?

Regardless of your stance on this, I would love to hear your conceptual reasoning. Appreciate your comments.

How safe is a password generated from words?

I loathe passwords with completely random letters and digits. It’s so much nicer to have a password made up of proper words. Even if the total length is much longer, it’s easier to memorize, transcribe, etc.

So I thought of this password generation scheme:

result = ""  while (result.length < 12)   result += randomWord()  if (result.length < 16)   result += shortRandomWord()  result += randomInteger(1000, 9999) 

In this example, assume that randomWord() returns an English dictionary word of length 4 to 10, and shortRandomWord() returns one of length 4 to 5. This is sure to give you a password of length 16 to 21, made up of 2 to 5 words, plus the 4 random integers.

Is this a good password generator? How does its entropy compare to a function that generates a password of length 8 with random letters and digits?

How to check if a user’s password has appeared in a breach?

The latest advice (e.g. from NIST) recommends that user’s password are checked against known breaches and compromised passwords are forbidden.

What are some relatively straightforward steps that a regular web dev who is not a security expert can take to implement this? Just knowing what breaches to use and where to download them is a start. It would also be helpful to have an opinion on how far a typical site should go (e.g. it’s probably not necessary to continually monitor breaches and update your list).

Is better to have as password a setence or first letter of the setence?

Which is better master KeePass password to prevent bruteforce between theses two type of password :

  • Complete sentence invented by user like : I like cheeseburger, tomatoes and fries ! 🙂

  • Each first letter of the word with lower and higher case : Ilcb,tAf!:)

Edit : My hesitation come from the facto that the sentence indeed is more longer but, it composed of real words which could be taken from a dictionnary.

RDP with self-signed cert requiring password before launching display

I’ve noticed that the search engine Shodan grabs screenshots from hosts running an RDP service, even if they offer a certificate.

To my understanding, the certificate is used to authentify the server, and encrypt the traffic sent and received (exactly like they are used in HTTPS), and thus should be irrelevant to the protection of hosts exposing RDP to the internet, but when I try to connect to such a service using xfreerdp, I get prompted for a password before I get to where the screenshot was taken, and then the error message : freerdp_set_last_error ERRCONNECT_LOGON_FAILURE [0x00020014].

I read that Shodan does not try passwords, it just grabs screenshots from accessible targets without credentials How is Shodan able to grab such screenshots? or what does xfreerdp do instead of launching the RDP display?

File encryption allowing changing password

My app needs to work with encrypted user files on their devices. It should keep the data secret when someone gets hold of the device. For this, I’m thinking about the following schema (which may be wrong, and that’s why I’m asking).

  • The app generates a random key k (of a fixed predefined length), which will be used as a master key for the file encryption.
  • It defines K = k || o, with o being a string of zeros (of a fixed predefined length).
  • It generates and stores a random salt.
  • It computes h(""), i.e., it applies a key derivation function to an empty string (which is the initial password; that’s fine as the user will be prompted to change it before they store any data).
  • It stores the K ^ h("") in the key file (let’s assume that the lengths match).

For validating a password, the content of the key file gets xored with h(password) ^ h(""). The result must be k || o, i.e., end with (at least) as many zeros as the length of o.

In order to change the password, the old password gets validated and when the check passes, the content of the key file gets xored with h(oldPassword) ^ h(newPassword) and the key file gets overwritten by the result.

I wonder whether the xoring is sufficient. It’s quite possible the whole schema is a mess, but I couldn’t find anything appropriate.