Why do web browsers provide websites with plain text passwords?

Suppose I sign up for website.com with username “John” and password “Secret”.

Currently the webbrowser supplies website.com with my real plain text password, and we must trust them to salt and hash it properly so that if they are hacked, damage to users is minimized.

Why don’t web browsers hash and salt your password for you? What would the downsides be if instead, it communicated:

username: John password: Sha256("website.com|john|Secret") =>  "655cd29ded358433da16867b682c21621664d26b9ca493ab224488dffce17050" 

Maybe it’s not the best scheme in the world, but is it worse than nothing at all?

With this scheme websites would have to keep track of which domain you signed up under, and you would probably want to modify the username to be all lowercase in the hash function so that the web browser communicates the same password no matter how you case your username.

The reason I suggest including domain or some other company id in the hash is so that rainbow tables can’t be used for more than one site at a time.

How to stop other programs from reading passwords stored in my browser?

I was very surprised and alarmed to see that a free software could list passwords stored by browser in plain text. I thought that these passwords (such as the ones for email) are encrypted and can’t be viewed that easy! I thought that cookies are such files.

This means that any web application could do the same and “steal” this information without me knowing!

My question is, is there a browser setting that prevents the storage of such credentials?

Do non-administrator Windows accounts need strong passwords?

I have always used long passphrases for my own Windows user accounts. But I know some people who use moderately common passwords (we’ll say they’re in the top 1,000 most used passwords, but not in the top 100).

From Why do we lock our computers?, I see that locking protects you from attackers who are unskilled or not prepared, and can even slow down prepared attackers for a few minutes. But if a capable attacker is alone with your computer for any extended period of time, they can get in if you don’t have full-disk encryption.

Does it make sense to use a strong account password (that is, something not in any password list)? Nobody is going to try the top 1,000 passwords if they’re alone with your computer for a few minutes, and if they’re with your computer for longer than that they can use other means.

Suppose RDP is disabled on the computer and the administrator account has a lengthy, unique passphrase. We’ll also suppose that the user’s password is not one they use elsewhere. Is there any attack that becomes easier if a non-administrator user password is in a list of common passwords?

Banking app logon – multiple fingerprint vs 2 passwords

Yesterday I logged on to my banking app via my iPhone. The normal procedure was to enter information that consisted of:

  1. The answer to a security question. This had to be entered in full and was the same during each login.
  2. Three characters from an additional string. The specific characters asked for were different for each login.

A message appeared which said that they were “upgrading” this to be more secure. It involved setting up a security answer (a string which was different to [1]). However, after using this it simply said that touch (fingerprint) ID could be used instead of using any of this information.

In theory this sounded ok, but it then said that it would work for anyone who had a fingerprint access for the device. The device in question is an iPhone SE. Given it’s possible for multiple fingerprints to work on an iPhone I was wondering how secure this actually is?

I have a couple of thoughts on this:

  1. If I have to enter the details as in [1] and [2] then only I know them (unless they are leaked). So in theory only one person knows these details (me).

versus:

  1. If someone else has fingerprint access on the device I use they can enter the app without any additional details.

I won’t name the bank in case this is some serious issue.

Please can someone provide details about whether this is genuinely a step in the right direction in terms of security and whether there are advantages/disadvantages over the previous method?

Which is the best software to recover or remove PDF file passwords?

If you are looking for a tool that unlocks PDF files, download PDF Unlock Tool to unlock PDF Passwords and Remove restrictions from PDF documents This tool removes PDF Copy, edit, print restrictions and allow you to copy, edit and print PDF documents. You can also remove PDF passwords and reset a new password on PDF documents. For more information; https://www.toolsground.com/pdf-unlock-tool/

G-suite passwords not accepted on bulk upload

I get this back after a bulk upload of children users:

ACTION_FAILED:PASSWORD_INVALID

I used a random generator and pasted its VALUE into the password column, so instead of

=CHAR(RANDBETWEEN(65,90))&CHAR(RANDBETWEEN(65,90))&RANDBETWEEN(1000,9999) 

being uploaded in the bulk .CSV I’m using GR5485 instead.

How come the password of GR5485 isn’t accepted??

How to download/export own passwords stored at Google Passwords?

It seems Google activated central place for storing app/website passwords which is accessible on-line at https://passwords.google.com/ and all the remembered Chrome passwords are synched there across all the linked devices. Which is pretty weird that this happened without my knowledge (previously they were stored on my local computer).

I would like to backup/export these stored passwords as it’s not pretty clear how they’re stored or how these passwords are safe on the cloud and move away from it.

I’ve checked Accounts Help: Download your data page, but this service is not available on the list in settings at https://www.google.com/settings/takeout.

Users aren’t allowed to reuse old passwords for security reasons. How to alleviate this pain point?

I work at a healthcare tech start up which is pretty strict about its login guidelines, largely because protecting patient and provider info is such a vital need in this industry. But while our strictness serves an important need, it can cause a fair amount of headaches for our providers. The source of much of this frustration is the fact that providers, when changing their passwords, are not allowed to reuse any of their last 12 passwords. And they’re having difficulty remembering their old passwords, and there’s no secure/systematic way of providing that info to them. What’s worse is that they’re also required to change their passwords every 90 days. So between the cognitive load required to remember all of their recent passwords and the frequency with which they need to update their passwords, providers are getting fed up, and are either abandoning the platform in frustration or relying heavily on customer support, who are inundated with requests to change providers’ passwords for them.

That said, does anyone have any experience with the “previous password” problem? And if so, what approaches have you used to mitigate it? Thanks for your help!

(and an FYI, I asked my security team if there was any wiggle room on the frequency of the pw change, as well as the change criteria, but they said its pretty much set in stone)