I have an encrypted "*.pbl" file (100kb) that contain my forgotten password. My password is very easy: number+lower case letters with length=6. Once I find the Hashed password I’ll quickly recover my password.
Of course the hash of a file can be found but it is still not the hash of a password. How do I find the hashed password?
One thing I could possibly do is to create another account with another password; this way I can generate a new encrypted file with the exactly same format and I might be able to find the position of my passwords.
PS: I did check related post but obviously I don’t need to do things like SQL injection because the file has always been on my local machine.
What is the reliable site or resource that lists those password managers that have been thoroughly tested by users and that have the most reliability?
- From the point of security: that they do not have access to your data, that it is impossible to hack their data, etc.
- From the point of reliability (say, the software crashes with all of your passwords – what would you do if you entrust it with all of your passwords, or say their servers are blocked in your country/their country blockes it)
- From the point of usability. Say, you need to have specific features, such as an android app with local storage and possibility to create offline password archives, or say you want it to generate passwords in certain patterns, or have both auto-generated passwords and to input passwords yourself.
In general I do not like the idea of entrusting all of my passwords to some software which is just software and may crash or cease existing anytime. It seems even more reliable to store all of the passwords in just a notebook or a text file with several copies.
Last year due to a complicated tax scenario (for my skills), I used an online tax website recommended by a friend to do my taxes. They were efficient in their job and I wanted to use their services again this year to save time. I had forgotten my password so tried to reset it. Turns out, they stored my password in plain text. Apparently that was to enable their staff to update any information that I provided in case it was incorrect.
I am worried about the financial data that I have already provided to them. I think as a user I have to consider it compromised. But I am a bit optimist so wondering if I can do anything to protect my data.
They don’t seem to be GDPR compliant so I don’t think they will simply delete my data but I definitely am going to request for it.
For symmetric key generation we need to provide a password. What is the threat of using an universal password input for symmetric key generation in hybrid crypto systems and how should this be handled if following best practices?
can’t we design an OS in such a way that it doesn’t allow anyone(not even
root) to read the passwords file?. Then there will be no need for encrypting the passwords. Why can’t we hard-code a computer to hide it’s password file?
I was reading Cuckoo’s egg by Clifford Stoll on page 32, I didn’t understand why encrypting passwords is necessary why can’t we program the computer so that it ‘hides’ the password file from all users?
here is the excerpt:
When your computer has fifty or a hundred users, you might just store each person’s password in a file. When the user tries to log on, ask for her password and compare that to what’s in your file. In a friendly environment, no problem. But how do you keep someone from sneaking a peek at that password file? Well, protect the password file so that only the system can read it. Even if you protect the password file, every now and then all the files will be copied onto backup tapes. Even a novice programmer could read those tapes on another computer and list the contents of the password file. File protection alone isn’t enough. In 1975, Bob Morris and Fred Grampp of Bell Laboratories developed a way to protect passwords, even when files weren’t secure. They would rely on encryption, rather than file protection.
I am about to sign up for an online school, which is an accredited statewide online school, and notice that the password they want me to enter is fully visible on the form. Should I be concern about their information security? Does a form like this indicates that the way the way the school protects students’ data is not secure, such as storing password verbatim rather than something like one-way hash?
If such forms violate established data security practices, what document(s) should I refer to the school’s IT people regarding that?
I’m currently building a website where you have an account and can do "dangerous" things with it. I want to password-protect these things, so the user has to type their password, if they want to continue. I couldn’t find any ressources on this, so I came up with this idea.
My method works this way:
- User navigates to dangerous action
- The server redirects the user to the password prompt website
- The user types the password
- The server checks if the typed in password matches the currently logged in user
- If check was successfull, the server redirects the user to the action with a uniquely created token associated to the user as a GET parameter
- The dangerous actions checks if the token matches to the user
- If match, the server will continue as normal
My question: Is this secure?
I think this is secure because I will probably make the token like 511 chars long and bruteforcing it would be very unlikely and I couldn’t find any other security holes in this.
I noticed that Amazon’s password reset relies on a 6 digit numeric PIN. Doesn’t this reduce every user’s account to a 1 in 10^5~ chance of being accessed through brute force guess factoring in a few retries (requesting OTP resend)?
It seems that they put a captcha ahead of this and probably have some timeout where the OTP expires or unspecified limit when too many attempts will lock the account from further retries. But nevertheless this doesn’t seem like a very good idea to me. I think Google Apps uses 8 characters with multiple character sets (lowercase, uppercase, numeric, symbol), which seems like how I would implement something like this.
What are good best practices for implementing a similar password reset mechanism with 6 digit numeric PIN on my own web app? Or is this a bad idea?
If there is a case where I wish to store sensitive data like a password, credit card information, or access tokens:
Are web workers / service workers a secure environment, where such data can not be compromised? If so, what to do to really secure it? If not so, why not exactly?
Is there an additional risk associated with storing the master password to a vault inside the vault itself?
I would assume not, since in order to decrypt the vault you must already have that password. But maybe I’m missing something?
And without reuse concerns, anything that can steal the password from the unlocked vault can also just steal the vault itself, so no additional information is being exposed that way.
As to why, besides academic curiosity, I’ve also noticed that sometimes the web version of the vault does not automatically log me in, even if the native app is unlocked. So adding the vault password would simplify that process.