Crack hashed passwords using a known password

I’m a dev trying to deploy a new dashboard I’ve written at work, the old one is a mess of hacked together libraries and only about half of the codebase is still even in use (dead code everywhere that just never got deleted, but doesn’t do anything)…

I’m not willing to kill myself over this nonsense one more second, I am trying to get the user notes from accounts where a user (rarely) changed their password from the default. I have the default password’s stored hashed string, what password it translates to, the hashing mechanism used, the encryption method used, and the hashed strings of the other passwords.

There just has to be a simple way to use this information to decrypt the other passwords right??

If this is not possible, can someone explain to me why? I get the one-way nature of hashing, but given how much information I have about the process end to end, I essentially have the entire process known, so I’m not sure that matters in this instance…

To summarize:

Can I use the knowledge of hashing and encryption mechanisms, along with a sample hash string and its plaintext value, to crack other passwords produced by the same code?

PS: If it helps, each default hash is identical regardless of when it was made…

Is this security scheme using passwords, short-lived access JWTs, and long-lived refresh tokens a good way to secure a REST API?

I’m trying to secure a REST API that I’m using as a backend for a single-page application. The API provides access to read/create/modify/delete protected resources, based on a set of permissions managed by an administrator. What I’m thinking is the following:

  • All connections must be over HTTPS; plain HTTP requests will be redirected to HTTPS.
  • Users have a username and password, which they create.
  • A client submits a username/password to a /login route; if it’s a valid password for that user, the server will return a short-lived access token and a long-lived refresh token.
    • The access token will be a signed JWT that identifies the user and has an expiration time.
    • The refresh token will be a GUID corresponding to a row in a database table; this row will store the user ID
  • When accessing protected routes (everything but /login), an access token will be required. The server will verify the signature, and if valid, will check the expiration time. If the token is not expired, the user ID will be made available to server-side code for authorization logic.
  • If the access token is expired, the client will automatically submit the refresh token to a /refresh endpoint for requesting a new access token. The server will check the database; if a corresponding row still exists, a new access token will be returned to the client.

Does this scheme sound secure?

User passwords printed on paperwork at a dental office?

My dental office just printed my password (to their portal) on some checkout paperwork.

I asked on law stackexchange and it doesn’t sound like this is a HIPAA violation, but I am really curious if this violates other regulations or goes against known best practices, as it seems really bad security-wise.

It doesn’t feel right that they can even see my password.

Any thoughts / resources much appreciated.

How to store passwords and be able to reuse them later

Lets assume the following scenario

I am writing an application where you can log in and then provide login details to another system ie your email account, FTP account etc
The application then reuses those login details later when it tries to log into those services to perform a certain task. Those tasks are performed in the background via a cron script and the user does not want to have to log in every time to provide the login details to those services.
This means I need to store the…

How to store passwords and be able to reuse them later

Securely distributing passwords and salts that will be derived by client programs

I am creating a client-server architecture running on top of the KCP protocol in Go. The package for KCP that I’m using is KCP-Go (https://github.com/xtaci/kcp-go). The package supports packet-level encryption and FEC. To use the packet-level encryption feature, I need to generate an AES key. Following the latest OWASP recommendations for securely storing passwords and keys, this is what I’ve done thus far:

  • I have generated a 64-byte password and salt.
  • I pass that to PBKDF2, using (600000 * num_cpus) rounds, and requesting a 32-byte key.

Now I am wondering how to exactly securely distribute this key. At this time, I start up another TCP server and allow clients to connect. When they do, I send them the password, salt, number of iterations, and checksum hashes for those three to ensure they’re not tampered with, and allow the client to perform key derivation. My question is: Is this method of distribution actually secure, or should I find some other way (i.e. using public keys)? If there is a more secure method to allow clients and the server to communicate, what should I do instead? I should note that when clients and servers send messages to one another a hash of the message is included along with the message to allow clients to verify the messages validity (I’m using SHAKE256). The hash funciton used during key derivation is BLAKE2B (though I have thought about using Argon2).