When knowing an individual’s plaintext password history, how much information is expected to be gained with a new password? Do we know this?

The premise: Knowing a persons password history should provide information to help when guessing a new password of theirs.

At an extreme end, with a password history of wildcats, wildcats1, then wildcats2, I’d guess there is less than 1 bit of entropy in their next answer.

At the other extreme end, someone with randomly generated passwords would lose no information in their history. From an information-theoretic point of view, I imagine this is something we can estimate using the large amounts of password history data available in the world.

Somewhere in the middle, a history of “wildcats!Reddit”, “crazydogs!Facebook”, “locobirds!Stackexchange” would give me some good ideas for a Twitter password, and would greatly reduce the entropy of their hash. Of course, this would be related to the concept of password strength.

I’m not so well-read on security, but I assume my idea is not unique. Is there a name for this concept? Do we know any real-world values for the amount of information gained / entropy lost?

How do I get a plaintext list of tags from a multi value entity reference field in Drupal 8?

I have a module that’s making custom RSS feeds for me.

In a content type, I have my tags stored in “field_tags” entity reference field.

My goal is to get the names of all the tags, and ultimately put them into an array, so they can go into a markupless RSS field.

When I’m pulling the data, I get it with this:

foreach ($  this->dbh->selectVideos(self::RPP) as $  nid) {   $  node = $  this->entityMgr->getStorage('node')->load($  nid);    if (!empty($  node)) {     $  data->nodes[] = [       'title'    => $  this->filterTxt($  node->title->value),       'body'     => $  this->filterTxt($  node->get('field_paragraph')->value),       'body2'     => $  this->filterTxt($  node->get('field_paragraph')->value),       'created'  => date('D, d M Y H:i:s', $  node->created->value) . ' GMT',       'guid'     => $  node->id(),       'img'      => $  this->getImgUrl($  node, self::IMG_FIELD),       'keywords' => $  this->filterTxt($  node->get('field_tags')->value),       'video'    => $  node->get('field_vid_url')->getString(),     ];   } } return $  this->render($  data, 'nameoffeed'); 


The problem is that ‘field_tags’ is an entity reference field, so it’s turning up blank.

I had partial success with this:

    if ($  node->hasField('field_tags')){       $  entity_ref = $  node->get('field_tags');       if ($  entity_ref->count() > 0){         $  tagoutput = entity_view($  entity_ref->entity, 'default');       } 

Then setting ‘keywords’ to equal $ tagoutput. This grabs the first tag, which isn’t great as I need them all, and then along with it comes a whole html layout enclosure that won’t work for an RSS feed.

I’m confused what the correct way is to get a proper list of tag names. In D6 I had this list as plain text, which wasn’t great because you wouldn’t be able to click on one in the page view and be taken to a list of all pages with that tag, but at least the tags worked on the feeds easily.

Any thoughts?

Website returning plaintext password

I have recently logged into a website. When I clicked on the “Update Profile” page, you are displayed with a list of text boxes for all the user fields, e.g. name, email, phone number etc.

There is also a box for password and confirm password (for if you wish to update these values), however, when you go into this page, those boxes are already populated, which made me think, why are they putting placeholders in?

When going into inspect element, they actually have the values of your password, transformed into upper case like this:

<input type="password" name="txtPassword2" size="45" value="MYPASSAPPEARSHERE"> 

I have also recently noticed that the case of your password or username is irrelevant when logging in – e.g. I can put it in all caps, all lower, or a mixture of both and it will still accept the password.

Is this a security hole and does this indicate they are storing passwords as plain text ?

Is this a secure way to protect passwords when they must be in plaintext?

I am building a web app which will use my school’s online grade reporting system. Students will sign in to my app using their credentials for the grade website. However, it does not provide an API, which means that my web app will have to store each user’s password to get access to their grade data or force each user to log in every time my app needs access. The web app will need to be able to verify the data from the grade reporting website, so the server will need to log in, which means that the plaintext password will at some point have to be on the server.

My solution is to have each user’s login details be stored locally in plaintext, then have the client send the credentials to the server whenever the server needs access to the grade system. The server would use the credentials to log in, then delete them. Everything uses HTTPS.

I believe that this system is secure because the plaintext passwords are on the server for only a short time and an attacker would not be able to access data stored on the client (assuming my web app is not vulnerable to XSS).

I’m planning to create the server in NodeJS and run it on a VPS.

Is this system secure? If not, what possible attacks exist and how could I prevent them?

Why is validating the integrity of the plaintext necessary in addition to validating the integrity of the cipher text?

Reading the iOS Security Guide’s description of the iMessage encryption protocol I’m trying to figure out why they included a mechanism for verifying the integrity of the plaintext as well as verifying the integrity of the final cipher text (emphasis added).

For each receiving device, the sending device generates a random 88-bit value and uses it as an HMAC-SHA256 key to construct a 40-bit value derived from the sender and receiver public key and the plaintext. The concatenation of the 88-bit and 40-bit values makes a 128-bit key, which encrypts the message with it using AES in CTR mode. The 40-bit value is used by the receiver side to verify the integrity of the decrypted plaintext. This per-message AES key is encrypted using RSA-OAEP to the public key of the receiving device. The combination of the encrypted message text and the encrypted message key is then hashed with SHA-1, and the hash is signed with ECDSA using the sending device’s private signing key.

What does this additional signature component add to the authenticity of the message?

Mostrar resultado automático en PlainText Android Studio

Saludos compañeros de StackOverFlow, la consulta es tengo 3 variables a saber: txtvalor1 y txtvalor2 son EditText los cuales ingreso los datos de numéricos cualquiera y eresult que es una variable de tipo plainText que tiene OBJETIVO OBTENER EL CALCULO NUMÉRICO DE LOS DOS EDITTEXT, ¿se puede lograr esto sin utilizar algún botón?

Is HostGator storing my password in plaintext?

I want to bring this up to HostGator, but want to verify my suspicions before making a big fuss.

I asked a customer care representative to help me add an SSL certificate to a site I host with them. When he was done, I received this e-mail with all my login information, and my entire password in plain text (I left the first letter visible as evidence). I set up this password over a year ago, and it was a big surprise to find out they sent it back to me, unprompted, in plaintext:

enter image description here

I immediately brought this up to the representative, who repeatedly tried to convince me that it was OK. I decided to drop it after a few minutes, because I think I should bring it up to someone higher up. Before I do so, is it safe to assume that my password is stored in their database as plain text? If so, do you have any suggestions on how to address this issue with the provider?

enter image description here

Como puedo cambiar el color de un texto(TextView) escribiendo el nombre del color en un PlainText?

public class MainActivity extends AppCompatActivity { private EditText col; private TextView tc;

@Override protected void onCreate(Bundle savedInstanceState) {     super.onCreate(savedInstanceState);     setContentView(R.layout.activity_main);     col = (EditText) findViewById(R.id.col);     tc = (TextView) findViewById(R.id.tc); 

What is better way of transmitting password input? Plaintext or its hash value?

Let’s just say there is a client and a server. The end-user inputs his/her password in the client interface. Then the data will be sent to the server for validation.

In terms of security, would it be best to:

  • Transmit the plaintext password to the server? or
  • Transmit the hash value of the plaintext to the server?