Cowrie (Honeypot) to not store passwords for certain username entries [closed]

I have a honeypot setup on port 22 (using "cowrie"). I need certain usernames to be logged without passwords. So if someone logs in with the username "jack" and the password "passw0rd", it will only not log the password while if someone were to login with "harvey" and the password "password" it will log the harvey’s username and password.

Server (please complete the following information):  OS: NAME="CentOS Linux" VERSION="7 (Core)" ID="centos" ID_LIKE="rhel fedora" VERSION_ID="7" PRETTY_NAME="CentOS Linux 7 (Core)"  Python: Python 2.7.5 

Where to Store Username During Password Reset?

I am new to web dev and trying to implement a password reset feature according to the OWASP cheatsheets: https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html

The cheat sheet advises not to send the username as a parameter when the form is submitted and sent to the server. Instead one should store it in the server side session. However, I am not sure how I should do that, since for me to be able to store the username in such a way the user needs to enter his/her username and send it to the server at some point, right? Why not send it together with the form where the user answers security questions? Or am I just understanding this the wrong way?

Thank you in advance! Best regards, Samuel

Show username only if logged in in a else no directly name

Hi I’m looking all over but I don’t find the solution: I have an infobox with: Hi, welcome to our “some text”

Now I’d like to add posibility for logged in users “Hello Tony, welcome to our “some text”

I tried following code snippet:

<div id="infoBox"> <button class="cross" type="button">X</button>   <p> Hello </p> <?php global $  current_user; wp_get_current_user(); ?> <?php if ( is_user_logged_in() ) {   echo 'Username: ' . $  current_user->user_login . "\n"; echo 'User display name: ' . $  current_user->display_name . "\n"; }  else { wp_loginout(); } ?>      <p>  Lorem ipsum dolor sit amet, consetetur sadipscing elitr, sed diam nonumy eirmod tempor invidunt ut labore et dolore magna aliquyam erat, sed diam voluptua. At vero eos et accusam et justo duo dolores et ea rebum. Stet clita kasd gub    </p> </div> 

but there’s a fatal error in my XAMPP testing environment:

Fatal error: Uncaught Error: Call to undefined function wp_get_current_user() in /opt/lampp/htdocs/wordpress/wp-content/plugins/stoerer/stoerer.php:31 Stack trace: #0 /opt/lampp/htdocs/wordpress/wp-settings.php(377): include_once() #1 /opt/lampp/htdocs/wp-config.php(90): require_once(‘/opt/lampp/htdo…’) #2 /opt/lampp/htdocs/wordpress/wp-load.php(42): require_once(‘/opt/lampp/htdo…’) #3 /opt/lampp/htdocs/wordpress/wp-blog-header.php(13): require_once(‘/opt/lampp/htdo…’) #4 /opt/lampp/htdocs/wordpress/index.php(17): require(‘/opt/lampp/htdo…’) #5 {main} thrown in /opt/lampp/htdocs/wordpress/wp-content/plugins/stoerer/stoerer.php on line 31 There has been a critical error on your website.

function to lock buddypress username from edit and automatically generate it

Was wondering if someone could recommend a function with buddypress that would both automatically change a user’s buddypress username to “First name” xprofile field + randomly_generated_characters as well as prevent the user from being able to change their username. I’m hoping this is possible because let’s just say our students are getting ‘creative’ with their usernames 🙂

Any help would be wonderful!

Thanks for this and all of the support you guys give us!

Attempted logins from device authenticating with MAC address as username [closed]

On our Guest wifi network, a device on “Static Host List” (SHL) attempts to enter its MAC address as the username and password in the T&C input fields. Am unable to physically hunt the device down because of current events.

The failed logins have been occurring on the same set of networks consistently, so the behavior is very likely automated and not a person.

What kind of devices exhibit this behavior?

API Key via Basic Auth: Send it as a username or as a password?

In APIs that authenticates with a single API key (eg a long random string) via Basic Auth, I have seen that most (eg Stripe, Unbounce) sends the API key as the username, leaving the password field blank. The only service I have seen that sends the API key in the password field is Bing.

Is there any reason to choose to send the API key as the username field or the password field?

I know that both usernames and passwords are concatenated and encoded, so both are equivalent in the transmission. I am looking for reasons such as (for example):

  • Well known client X expects non-empty usernames, so the API key has to go in the username

  • Well known client Y logs usernames and not passwords, so the API key has to go in the password

Is having multiple correct passwords for a single username a security problem?

This question occurred to me when using online banking. My wife and I have a joint account. The username to login to internet banking is just our account number, so it is the same for both of us. Nevertheless the bank supplied us with 2 distinct passwords.

If the passwords where only given out by the bank and we would log into the same account this would probably be fine.

But first the bank actually forces us to each choose our own new password. In theory I could choose the same password as my wife and then the system would tell me ‘you can’t use this password because it is already taken’ or something like that so I would have guessed my wifes password. Seems securitywise very shady.

Secondly although we access the same money in the bank account we don’t have the exact same user account in the bank as for some actions the identity of the user is needed (for example ‘please send a new credit card’, should it be for me or for my wife?). The situation of one username combined with one password accesses one user account, the same username with another password accesses a different user account looks to me like a severe breach of security.

Is this actually fine or is the bank using some very sloppy and potentially unsafe programming for their joint accounts?