Is having multiple correct passwords for a single username a security problem?

This question occurred to me when using online banking. My wife and I have a joint account. The username to login to internet banking is just our account number, so it is the same for both of us. Nevertheless the bank supplied us with 2 distinct passwords.

If the passwords where only given out by the bank and we would log into the same account this would probably be fine.

But first the bank actually forces us to each choose our own new password. In theory I could choose the same password as my wife and then the system would tell me ‘you can’t use this password because it is already taken’ or something like that so I would have guessed my wifes password. Seems securitywise very shady.

Secondly although we access the same money in the bank account we don’t have the exact same user account in the bank as for some actions the identity of the user is needed (for example ‘please send a new credit card’, should it be for me or for my wife?). The situation of one username combined with one password accesses one user account, the same username with another password accesses a different user account looks to me like a severe breach of security.

Is this actually fine or is the bank using some very sloppy and potentially unsafe programming for their joint accounts?

Changing VPS username ‘Root’ to a sudo

I have recently had issues with my VPS host and them constantly asking for my password through insecure portal and then sending it via insecure email. I then asked them about changing the root username to a sudo via SSH and they have actively discouraged me. I am questioning their security and considering re-hosting. So I have a few questions.

  1. Is changing to a sudo a good idea?
  2. Any recommended hosts that actually take security seriously?
  3. Same who will move everything for me? Any ideas on who will help? Just so all theDNS stacks up and the SSL certificate works from off the bat.

Thanks everyone.. Andy

How to crack MD4 hashes when username is known

I have come across a hash and hash-identifier identifies it to be of type I came across this answer which is a very good reference point, however, I wanted to know three things:

  1. Online tools to crack this hash given the password. I did come across hashcat and john the ripper. I tried the latter without giving the username(no results). Hashcat did not have the appropriate documentation for the same.
  2. wordlist to be used to brute-force the password
  3. Is scripting the only way to crack the password? Which library should be used? python3 does not have an md4 function.

Link for username in People and Groups leads to 404 error

On any site in our on-prem installation (SP 2016), if I go into “People and Groups” and click on the link for any given user, I get dropped into a 404 error page.

The username URLs follow this pattern:

http://{sitename}/{subsite path}/_layouts/listform.aspx?PageType=4&ListId={some GUID} 

I am one of the members of the Central Admin group and can make adjustments in CA. But, I don’t want to just go clicking wildly. Any guidance on where username hyperlinks are supposed to go and how to repair broken links?

Thanks!

Can the username be used in HMAC during client-side hashing?

I am very new to authentication and cybersecurity in general, so I apologize if I have anything completely wrong.

My goal is to have the client side hash passwords before sending them to server side in order to protect users using the same password on multiple sites. For the sake of this question, assume server-side is secure (in my case, the hashed passwords from client-side are hashed again with Argon2 and then stored in the database). I understand that this provides no security benefit for users on my app and that other things such as SSL are much more important for keeping passwords secure in transit, but I’d still like to do this just in case.

I was planning on using SHA256 but heard that rainbow tables are a major security threat. Would using the username as the key in an HMAC hash mitigate that? Moreover, are there any better ways of protecting users who reuse passwords on multiple sites? Keep in mind that I can’t use a salt because the resulting hash has to be consistent between logins when given the same username/password combo, and I can’t use a secret key because it’s client-side.