I’m creating an app that logins to a remote API that doesn’t implement oauth2 or another similar mechanism, and I want to know if is reasonably safe to assume that password will be safe if is stored in app private storage like Shared preferences or SQLite?
Tag: Passwords
C program to crack passwords
I have implemented a program in C to crack passwords by generating all possible combinations of words ([A-Z][a-z]) up to the length of 5. While the program works, I would like to receive comments on the efficiency of the algorithm and other design decisions that would improve the code. The exercise is part of the course CS50 by Harvard.
I timed the program using unix’s time and the time the program took to print all the combinations was real 14m39.433s; user 0m10.040s; sys 0m36.356s.
CS50.h is a library developed for the course as training wheels for students. String (char*) and Bool are types defined in this library.
#define _XOPEN_SOURCE #include <stdio.h> #include <string.h> #include <unistd.h> #include <cs50.h> int main(int argc, char *argv[]) { if(argc != 2) { printf("Usage: ./crack hash\n"); return 1; } string alphabet = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"; char password[6] = ""; string hash = argv[1]; char salt[3]; memcpy(salt, hash, 2); salt[2] = ''; bool flag = false; int alphabet_len = 52; for(int i = 0; i < alphabet_len; i++) { password[0] = alphabet[i]; password[1] = password[2] = password[3] = password[4] = ''; if(!strcmp(hash, crypt(password, salt))) { flag = true; break; } for(int j = 0; j < alphabet_len; j++) { password[1] = alphabet[j]; password[2] = password[3] = password[4] = ''; if(!strcmp(hash, crypt(password, salt))) { flag = true; break; } for(int k = 0; k < alphabet_len; k++) { password[2] = alphabet[k]; password[3] = password[4] = ''; if(!strcmp(hash, crypt(password, salt))) { flag = true; break; } for(int l = 0; l < alphabet_len; l++) { password[3] = alphabet[l]; password[4] = ''; if(!strcmp(hash, crypt(password, salt))) { flag = true; break; } for(int m = 0; m < alphabet_len; m++) { password[4] = alphabet[m]; if(!strcmp(hash, crypt(password, salt))) { flag = true; break; } } if(flag) break; } if(flag) break; } if(flag) break; } if(flag) break; } if(flag) printf("Password: %s\n", password); else printf("Password not found\n"); }
Seperate android profiles linked to different passwords
What would be the easiest way to allow for the functionality on an android device so that if one password is entered then a profile is opened and if another (password) is entered then the phone unlocked a seperate profile.
Should I back up automatic strong passwords of iCloud?
I’ve recently started to use iCloud’s automatic strong passwords. I feel like that if iCloud were down for some reason, the passwords would be lost. Considering it, should I back them up on other device or actual paper? Or am I worrying too much?
Does Chrome’s password manager store plaintext passwords in their databases?
Chrome’s password manager allows for users to view their saved passwords on passwords.google.com. The saved passwords can be viewed on different devices as long as the user logs into their Google account. So, these passwords must be stored in a Google database. Is it known as to whether the passwords are encrypted in this database, so that Google wouldn’t be able to know what your account passwords are?
Does server stores my previos passwords?
When I change my password on some web server like email, cloud, social network and try to use my previous password, server denied it with message “Don’t use your previous passwords”. – Does it mean that server stores my my previous passwords? How does it secure?
Kickstart, universal install script and default passwords
I’d like to make an universal automated install script using Kickstart, which would be placed on a CD and used in conjunction with standard DVD installer, i.e. the user of this script would need to append inst.ks=cdrom
to boot options and then it’d install e.g. Fedora on the machine asking only for passwords.
It seems that standard practice is to generate Kickstart scripts with passwords (or password hashes) in them, which doesn’t seem ideal if you intend to distribute the script to third parties. I also want to enable sshd service in the Kickstart script, which would make it possible for anyone on LAN with knowledge of default passwords to log in into the machine. Of course I can just disable password authentication in sshd but now it’s getting messy, i.e. I’m trying to workaround public knowledge of default passwords (and I may very well be forgetting something).
I’m new to Kickstart, I’d like to make the install script to ask/prompt/input for site-specific passwords, and so far I figured out two options:
- Ask for passwords in
%pre
section and then generate e.g.accounts.ks
withrootpw
anduser
commands which will be included from main command section. - Use static default passwords and run interactive script on first boot that’ll force user to change default passwords. (Or possibly use
chage
in%post
.)
My worry is that, based on my Google searches, no one is doing that, no one is even asking for that. 🙂 Everyone seem to be placing final passwords/hashes directly into Kickstart scripts. So this leaves me with making my own interactive script for both options, which, I fear, will end up bad. Or perhaps, I’m getting the whole concept of (semi-) automated installs with Kickstart wrong.
What is the standard practice for creating universal Kickstart scripts for scenarios like this, where you need to distribute the script and not force users to edit it?
How to crack a list of hashed passwords given their possibilities
I am trying to crack a number of passwords that have been hashed using SHA-256 using some java code.
I have the hashes available and I also have the possibilities in which the password can be. Some of these possibilities include,
So for example I have hash
9F86D081884C7D659A2FEAA0C55AD015A3BF4F1B2B0B822CD15D6C15B0F00A08
and I want to get the password using an algorithm (one which I will code in Java) to get the password:
test
Is the only possible way I can do this is to calculate the hashes for all of the possibilities and then compare them with the hashes that I have?
How to show passwords in Keychain Access?
Is there any setting that is supposed to cause the macOS Keychain Access app to show, in the password area, not the passwords themselves but instead random-looking capital alphanumeric characters?
This is what I’m seeing but I’d rather see the passwords.
I’m not sure if this is a setting I don’t know about or if something is broken.
Passwords and synchronization
I have changed passwords and find them in password manager. Ben in try to login I am told passwords are invalid. Google cuts me off of YouTube music or other apps.