Suppose I sign up for website.com with username “John” and password “Secret”.
Currently the webbrowser supplies website.com with my real plain text password, and we must trust them to salt and hash it properly so that if they are hacked, damage to users is minimized.
Why don’t web browsers hash and salt your password for you? What would the downsides be if instead, it communicated:
username: John password: Sha256("website.com|john|Secret") => "655cd29ded358433da16867b682c21621664d26b9ca493ab224488dffce17050"
Maybe it’s not the best scheme in the world, but is it worse than nothing at all?
With this scheme websites would have to keep track of which domain you signed up under, and you would probably want to modify the username to be all lowercase in the hash function so that the web browser communicates the same password no matter how you case your username.
The reason I suggest including domain or some other company id in the hash is so that rainbow tables can’t be used for more than one site at a time.
It’s it possible to uncheck the save passwords box in Firefox settings programmatically with bash?
Suppose a non-root user was compromised over remote by malware that is now using
su (tty or similar) trying to login as root, trying every possible password by bruteforcing.
assume: full disk encryption with a strong passsword is in place.
goal: secure root account password.
non-goals: Protecting password from offline attacks when an attacker manages to steal
/etc/shadow and to use offline attacks against it is out of scope.
In this situation…
Are offline attacks against linux user account passwords possible?
When are strong linux user account passwords required?
Are strong linux account passwords required?
How many password can an attacker try against linux user accounts per second or per minute?
Can passsword bruteforcing against linux user account passwords be parallelized by the attacker and is bruteforcing only bound by the attackers available resources of CPU/RAM/etc.?
Or is passsword bruteforcing against linux user account passwords limited by su/pam or something? Can only be a limited number of passwords per second or per minute be tested?
Can su/pam/everything be added a (longer and longer becoming) delay when trying a wrong password to slow down bruteforce attacks?
How many random characters or dice words must a linux user account password have to be very secure? Are these the same requirements as for very secure FDE passwords or lower due to offline attacks not being possible against linux user account passwords?
I was very surprised and alarmed to see that a free software could list passwords stored by browser in plain text. I thought that these passwords (such as the ones for email) are encrypted and can’t be viewed that easy! I thought that cookies are such files.
This means that any web application could do the same and “steal” this information without me knowing!
My question is, is there a browser setting that prevents the storage of such credentials?
I have always used long passphrases for my own Windows user accounts. But I know some people who use moderately common passwords (we’ll say they’re in the top 1,000 most used passwords, but not in the top 100).
From Why do we lock our computers?, I see that locking protects you from attackers who are unskilled or not prepared, and can even slow down prepared attackers for a few minutes. But if a capable attacker is alone with your computer for any extended period of time, they can get in if you don’t have full-disk encryption.
Does it make sense to use a strong account password (that is, something not in any password list)? Nobody is going to try the top 1,000 passwords if they’re alone with your computer for a few minutes, and if they’re with your computer for longer than that they can use other means.
Suppose RDP is disabled on the computer and the administrator account has a lengthy, unique passphrase. We’ll also suppose that the user’s password is not one they use elsewhere. Is there any attack that becomes easier if a non-administrator user password is in a list of common passwords?
Yesterday I logged on to my banking app via my iPhone. The normal procedure was to enter information that consisted of:
- The answer to a security question. This had to be entered in full and was the same during each login.
- Three characters from an additional string. The specific characters asked for were different for each login.
A message appeared which said that they were “upgrading” this to be more secure. It involved setting up a security answer (a string which was different to ). However, after using this it simply said that touch (fingerprint) ID could be used instead of using any of this information.
In theory this sounded ok, but it then said that it would work for anyone who had a fingerprint access for the device. The device in question is an iPhone SE. Given it’s possible for multiple fingerprints to work on an iPhone I was wondering how secure this actually is?
I have a couple of thoughts on this:
- If I have to enter the details as in  and  then only I know them (unless they are leaked). So in theory only one person knows these details (me).
- If someone else has fingerprint access on the device I use they can enter the app without any additional details.
I won’t name the bank in case this is some serious issue.
Please can someone provide details about whether this is genuinely a step in the right direction in terms of security and whether there are advantages/disadvantages over the previous method?
If you are looking for a tool that unlocks PDF files, download PDF Unlock Tool to unlock PDF Passwords and Remove restrictions from PDF documents This tool removes PDF Copy, edit, print restrictions and allow you to copy, edit and print PDF documents. You can also remove PDF passwords and reset a new password on PDF documents. For more information; https://www.toolsground.com/pdf-unlock-tool/
I get this back after a bulk upload of children users:
I used a random generator and pasted its VALUE into the password column, so instead of
being uploaded in the bulk .CSV I’m using
How come the password of
GR5485 isn’t accepted??
It seems Google activated central place for storing app/website passwords which is accessible on-line at https://passwords.google.com/ and all the remembered Chrome passwords are synched there across all the linked devices. Which is pretty weird that this happened without my knowledge (previously they were stored on my local computer).
I would like to backup/export these stored passwords as it’s not pretty clear how they’re stored or how these passwords are safe on the cloud and move away from it.
I’ve checked Accounts Help: Download your data page, but this service is not available on the list in settings at https://www.google.com/settings/takeout.
I work at a healthcare tech start up which is pretty strict about its login guidelines, largely because protecting patient and provider info is such a vital need in this industry. But while our strictness serves an important need, it can cause a fair amount of headaches for our providers. The source of much of this frustration is the fact that providers, when changing their passwords, are not allowed to reuse any of their last 12 passwords. And they’re having difficulty remembering their old passwords, and there’s no secure/systematic way of providing that info to them. What’s worse is that they’re also required to change their passwords every 90 days. So between the cognitive load required to remember all of their recent passwords and the frequency with which they need to update their passwords, providers are getting fed up, and are either abandoning the platform in frustration or relying heavily on customer support, who are inundated with requests to change providers’ passwords for them.
That said, does anyone have any experience with the “previous password” problem? And if so, what approaches have you used to mitigate it? Thanks for your help!
(and an FYI, I asked my security team if there was any wiggle room on the frequency of the pw change, as well as the change criteria, but they said its pretty much set in stone)