Firefox: What would be more secure/private: storing session cookies or saving password in the browser?

I am wondering, assuming the latest version of Firefox, which of the following options would be more preferable security-wise (e.g. assess and/or password to user account will be stolen) and which one privacy-wise (exposing user to the least advertisement tracking etc.):

  1. Storing session cookies (i.e. logging in and never logging out), but not saving password & username in browser built-in Password Manager.
  2. Saving password & username in built-in Password Manager (without Master Password) and setting cookies and site data to be cleared when browser is closed.

P.S.: I am aware that using Master Password for password storage will increase security of the stored passwords. Though I am not wondering how to improve given options, but would like to asses them “as is”.

John the ripper – ecryptfs – sample not cracked: 0 password hashes cracked

Good morning all,

I tried to use john the ripper on the sample : ecryptfs_sample_metadata.tar (password is ‘openwall’)

witch i downolad here: https://openwall.info/wiki/john/sample-non-hashes

The passeword is openwall.

If i try

sudo john ecryptfs_sample_metadata.tar --progress-every=10 --mask='openwal?l' 

The result is:

Warning: detected hash type "mysql", but the string is also recognized as "oracle" Use the "--format=oracle" option to force loading these as that type instead Warning: detected hash type "mysql", but the string is also recognized as "pix-md5" Use the "--format=pix-md5" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 1 password hash (mysql, MySQL pre-4.1 [32/64]) Warning: no OpenMP support for this hash type, consider --fork=4 Press 'q' or Ctrl-C to abort, almost any other key for status 0g 0:00:00:00  0g/s 185.7p/s 185.7c/s 185.7C/s openwala..openwalq Session completed 

If i try show i have the result:

0 password hashes cracked, 1 left 

I try to ad

--format=oracle  

or

--format=pix-md5  

with the same result.

Does anyone have an idea why the password is not cracked?

Is logging number of special characters in password a bad idea?

Recently I started new work, and going through documentation and code to understand what company is doing. While doing that, I noticed there is logged number of special characters in his password.

Personally, I don’t think it is good idea as disclose some information regarding password, especially for users who didn’t used any special characters. From other hand, this issue wasn’t picked up by pen testers.

I was wonder, is it me being too paranoiac and this is not a real issue, or it is a issue which was overlooked during pentesting.

Unique password for WordPress [closed]

So, I’m in the midst of talking with my employer and he wants a plugin that I haven’t been able to track down. either because it doesn’t exist or because I used the wrong search terms.

What we need is a plugin that generates keys like product keys or serial numbers, that it uses for its login on the site. The keys should also have a limited activation lifespan as we’re selling them for an online escape game.

Is it feasible or are we on a wild goose chase here?

JohnTheRipper Error: No password hashes loaded (see FAQ)

I’m new to CTF challenges and came across a challenge where I’m required to crack the ZIP file using johntheripper with the rockyou.txt wordlist.

So for that, I tried both using sudo apt-get install john

And also using the GitHub repo of it and compiling it. But in both cases, I’m getting the same error

Using default input encoding: UTF-8

No password hashes loaded (see FAQ)

I’m using Ubuntu on my Windows 10 machine using Windows Subsystem for Linux.

So please help me out with the steps I need to follow to rectify the issue.

Recover AES256 zip password by known result

I have a zip file containing unencrypted folder with encrypted files inside.

Given that for some files I have their originals, is it possible to restore password used for encryption?

As of now there seems to be an issue in JohnTheRipper, that prevents it to correctly calculate hash for such a file, and I know of no other tool to aid in password recovery.

Insufficient security vulnerability on password reset via email

We have a system where if you forgot your password and want to reset it, to go to the forgot password page and enter your email address. A temporary link will be sent to your email to reset your password.

Now, when we subjected our app to penetration testing. An issue was found:

“Application is giving clues of possible valid email addresses when attempting to reset password.This functionality can be abused by simply guessing possible email address and being able to find valid ones through the error messages.”

Well, there’s only one field and of course its obvious that if a reset password attempt fails, its due to an invalid email. Seems this penetration test is wrong. Are there any solutions to fix this issue besides adding an additional field (besides email) for password reset?

Is it safe to encrypt a user’s third party API key with their own password?

I’m running a node application which needs to make calls to a third party API, on behalf of my user, using their own API keys.

API calls only need to be made on behalf of the user while they are logged into my site.

Currently I use bcrypt to hash and compare their password:

bcrypt.hash(req.body.password, 12, function (err,   hash) {... bcrypt.compare(req.body.password, users[req.body.username]['password'], function (err, result) {... 

I thought when a user adds their API key to the website I could require their password again, and after validating the password, I could use the encryption method Here to encrypt it (with their plaintext password as the key)

When a user logs in, I could validate their password, decrypt their API key using method from link above (and their password), and store the API key in plain text using express-sessions, ready for making calls on user request.

With this method if the user losses the password they will have to reset their API keys. I’m happy to accept that trade off.

Is this approach safe or is there something I’m overlooking?

I have password reset link with a long string of characters. What do those characters mean? [closed]

I have password reset link with login/reset_password?h=f7f7935cf3f63b3c01fc6987fb80f05c what does this h=32 characters mean?

I am testing a password reset functionality and found out that there is an URL parameter h with 32 characters in the password reset link. What is the purpose of these 32 characters?