Password Vault Storing Passwords

I’ve been working on just a fun side project in C++ to practice encryption algorithms and I sort of ran into a bit of a roadblock of sorts. To summarize the project I have a text file of encrypted passwords and sites the passwords are for, the user logs in and the encrypted information is stored into a list. Simple enough. The log in works just fine and is as close to using a hash function as I care to try for as small a project as I’d like this to be. My main problem is this :

When I want to show the user their password, I need to decrypt it. How do I pass the key to the decryption algorithm without having it stored in at least RAM? Because I have a encrypted version of the key stored in the text file as well and relies on the hash being correct for the key to be decrypted. But I don’t want the user to enter their information again to get the password after they already logged in. So how should I go about this? Should I save the key once I can decrypt it with the users information? Or should is there some solution that is escaping me? Thanks for any help!

Is it really that unsafe to store passwords in a text file on my computer?

These days, we have pretty secure systems.
I have a mac with T2 security chip and the whole disk is encrypted via FileVault.
iPhones are known to be pretty secure, with even FBI having a hard time breaking in.
Windows machines can be encrypted with BitLocker or VeraCrypt.
With these kinds of systems, is it really that unsafe to store passwords in a text file? for an average individual user?
Of course if I’m operating a server or anything like that, I would definitely need better security. But I was wondering how much security does and average individual user really need?

John the Ripper doesn’t crack passwords when I use wordlists

Title says it all, I can’t tell if John is just crashing or “gives up” on cracking the hash. First I start off by creating an md5 hash out of a word I KNOW is on the rockyou.txt wordlist:

echo -n 'password' | md5sum > testhash 

After removing the hyphen at the end of the test hash file:

5f4dcc3b5aa765d61d8327deb882cf99 

Now I attempt to crack the md5 hash using the following John the Ripper command:

john --format=raw-md5 --wordlist= /usr/share/wordlists/rockyou.txt testhash 

I get the output:

Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8*3]) No password hashes left to crack (see FAQ) 

Then I run:

john --show testhash 

Which outputs:

0 password hashes cracked, 2 left 

Sorry if I’m doing something terribly wrong, but I’m at a loss here. I’m assuming it’s something wrong with how my installation of John on Kali Linux is handling the wordlist. Thank you in advance!

Which is better practice: digital password manager or a physical book of passwords? [duplicate]

These days, it’s not uncommon to have dozens and dozens of passwords for various sites and services. If you’re using different passwords for each service it can be basically impossible to hold all the passwords in your memory.

Some people keep a book with their passwords written down, and are occasionally mocked for doing so because if the book is lost or stolen, so are their accounts.

Others keep a digital password manager. These passwords aren’t hashed: a user can log in and see all their saved passwords.

The best solution (assuming we’re only using passwords) is to have unique, strong passwords memorized for each service, but that is implausible for the typical person and the volume of passwords someone needs.

Which of the following is the current best practice for a high number of passwords? Consider that the user needs to access these accounts from potentially several computers.

  1. Use a handful of passwords that you can remember and have several services share a password. (For example, three unique passwords over twelve services)

  2. Use a digital storage mechanism for storing passwords that can be accessed on logging in

  3. Keep a physical book of written passwords. Obviously it can’t be stolen digitally, but can be physically stolen or misplaced, and recovering from a lost book is very hard.

I’m assuming the person in question is keeping everyday information important to them (email, bank account password, so on) but not necessarily being specifically targeted by someone with resources. Any of these practices will probably fail against someone staging a coordinated attack.

How did Microsoft discover 44 million user passwords were breached? [closed]

In December 2019, tons of new sites reported Microsoft ran a security research that found out over 44 million of user passwords were breached. The news sites said Microsoft used third-party resources and public databases in order to discover this, and forced all these users to change their passwords (which is nice!), but I still don’t get it.

If the password is properly hashed, how did they manage to look them up on these databases? I’m not a security expert or anything, but the only possibility I could come up on my mind was to hash the passwords on these public databases and compare with the users’ hashed passwords, but that sounds absurd considering salt (they would have to hash every leaked password to every account, right?). Does anyone understand how they did that?

EDIT: @schroeder’s comment and closing the question doesn’t make sense. The question is valid – how could they check so many password to so many accounts, if that’s how they did it.

Recovering local chrome passwords from dead pc [migrated]

recently my PC died and will not power on. The motherboard had a complete failure. My HDD survived. I have it set up as an external to pull my photos and such. My question comes down to transferring the local passwords I had stored on chrome. I didn’t have a google account sync. But the profiles are still accessible on the old HDD. I want to view my passwords or at least transfer them to my new pc. The older HDD belonged to a win 8.1 pc. I pulled up the Login data sqlite file but when I view it in sql server it says the password value is stored in a blob. Any advice on recovering them would be helpful,a majority of my lifes on there.

Store passwords local with plain text access on WinPE

I have an application that needs to store Network Credentials for a Network Drive/Share on the disk. The user shouldn’t need to enter the password every time. The OS is WinPE, so he cannot map the drive once and it will stay there.

Limitation:

  • I need the password in plain text, to map the drive.
  • The program should work without an additional password that the user has to enter.

Thoughts:

  • Hash + Salt is not reversible, so I cannot get the password in plain text.
  • An encrypted password is not safe, because the program has to store the key. If someone looks inside the code he will get the key and decrypt the password.
  • I cannot use the “Protect Data” interface of windows, because I use WinPE. Protect Data Documentation

The program is written in C#. Maybe someone has a good idea about my problem. Thanks!

Could you store your passwords in a phone app governed by a QR code?

I had an idea a little while back to have an ID card with a QR code on it that you kept in your wallet. When you want to access your passwords (view them directly), you need your ID card and to scan it with your password protected iPhone. This then reveals your desired passwords.

But I’m thinking about it more and it doesn’t seem to offer any extra “security” or protection of your passwords. You have your phone password memorized, so that’s secure. Once you get into your phone and open the customized QR reading password app, you could just have direct access to your passwords right there instead of having the QR code layer. But, say we add the QR code step, of scanning the QR code to get access. Maybe it only works on your phone. So you have your phone password and a QR code protecting your password.

Does something like this offer any extra security? I’m thinking along the lines of n-factor auth and having an actual physical ID card in the mix.