passwords

Encrypting Passwords

What is the fastest, yet secure way to encrypt passwords in (PHP Prefered), and for which ever method you choose is it portable?In other words if I later migrate my website to a different server will my passwords continue to work?The method I am using now I was told is dependent on the exact versions of the libraries installed on the ser...

Best way to store a database password in a startup script / config file?

So our web server apps need to connect to the database, and some other apps have startup scripts that execute at boot time. What's the best way to store the name/password for these applications, in terms of security, e.g. perhaps we don't want sysadmins to know the database password maintainability, e.g. making the configuration easy ...

Simple password encryption

What is a good, simple encryption scheme for protecting passwords in a database? I don't necessarily need anything that's hyper-secure nor do I need anything that's lightning fast, but those things would be nice. Primarily, I just want something that's easy to implement without being terribly slow or insecure. ...

Disable browser 'Save Password' functionality

One of the joys of working for a government healthcare agency is having to deal with all of the paranoia around dealing with PHI (Protected Health Information). Don't get me wrong, I'm all for doing everything possible to protect people's personal information (health, financial, surfing habits, etc.), but sometimes people get a little to...

Two-way password encryption without ssl

I am using the twitter API to integrate twitter with my blog's commenting system. The problem with the twitter API and many other web APIs out there is that they require the user's username and password to do anything useful. I don't want to deal with the hassle and cost of installing a SSL certificate, but I also don't want passwords ...

How to store passwords in Winforms application?

I have some code like this in a winforms app I was writing to query a user's mail box Storage Quota. DirectoryEntry mbstore = new DirectoryEntry( @"LDAP://" + strhome, m_serviceaccount, [m_pwd], AuthenticationTypes.Secure); No matter what approach I tried (like SecureString), I am easily able to see the pass...

How do I write Firefox add-on that automatically enters proxy passwords?

Suppose someone worked for a company that put up an HTTP proxy preventing internet access without password authentication (NTLM, I think). Also suppose that this password rotated on a daily basis, which added very little security, but mostly served to annoy the employees. How would one get started writing a Firefox add-on that automatica...

How do I avoid having the database password stored in plaintext in sourcecode?

In the web-application I'm developing I currently use a naive solution when connecting to the database: Connection c = DriverManager.getConnection("url", "username", "password"); This is pretty unsafe. If an attacker gains access to the sourcecode he also gains access to the database itself. How can my web-application connect to the d...

Storing Windows passwords.

I'm writing (in C# with .NET 3.5) an administrative application which will poll multiple Windows systems for various bits of data. In many cases it will use WMI, but in some cases it may need to read remote registry or remotely execute some command or script on the polled system. This polling will happen at repeating intervals - usually ...

How does one decrypt a PDF with an owner password, but no user password?

Although the PDF specification is available from Adobe, it's not exactly the simplest document to read through. PDF allows documents to be encrypted so that either a user password and/or an owner password is required to do various things with the document (display, print, etc). A common use is to lock a PDF so that end users can read i...

Oracle lost sysdba password

We are working with an oracle database in which the person that set it up is "long gone" and thus do not know the sysdba password, but need it. We have root access to the box (its on linux). Is there any way to recover or change the sys passwords? ...

Generating Random Passwords

When a user on our site looses his password and heads off to the Lost Password page we need to give him a new temporary password. I don't really mind how random this is, or if it matches all the "needed" strong password rules, all I want to do is give them a password that they can change later. The application is a Web application writt...

Unique key generation

I looking for a way, specifically in PHP that I will be guaranteed to always get a unique key. I have done the following: strtolower(substr(crypt(time()), 0, 7)); But I have found that once in a while I end up with a duplicate key (rarely, but often enough). I have also thought of doing: strtolower(substr(crypt(uniqid(rand(), true)...

Password generation, best practice

I need to generate some passwords, I want to avoid characters that can be confused for each other. Is there a definitive list of characters I should avoid? my current list is il10o8B3Evu![]{} Are there any other pairs of characters that are easy to confuse? for special characters I was going to limit myself to those under the number ke...

How to implement password protection for individual files?

I'm writing a little desktop app that should be able to encrypt a data file and protect it with a password (i.e. one must enter the correct password to decrypt). I want the encrypted data file to be self-contained and portable, so the authentication has to be embedded in the file (or so I assume). I have a strategy that appears workabl...

Replacing plain text password for app

We are currently storing plain text passwords for a web app that we have. I keep advocating moving to a password hash but another developer said that this would be less secure -- more passwords could match the hash and a dictionary/hash attack would be faster. Is there any truth to this argument? ...

How does your company manage credentials?

This is a call for suggestions and even possible solutions. I haven't been at a company that really seemed to get credential management 'right'. I've seen excel/word documents and even post-it note 'solutions'. But my main question is what is the right way to do it? I have initially thought it would revolve around KeePass a bit, but h...

In a client-server application: How to send to the DB the user's application password?

I have an Java desktop application wich connects directly with the DB (an Oracle). The application has multiple user accounts. What is the correct method to send the user's password (not DB password) over the network? I don't want to send it in plain text ...

What is the best way to check the strength of a password?

See also How do you compute password complexity? What is the best way of ensuring that a user supplied password is a strong password in a registration or change password form? EDIT: one idea I had (in python) def validate_password(passwd): conditions_met = 0 conditions_total = 3 if len(passwd) >= 6: if passwd.lowe...

How best to generate a random string in Ruby

I'm currently using the following to generate an 8 character pseudo random upper case string [A-Z] value = ""; 8.times{value << (65 + rand(25)).chr} but it looks junky, and since it isn't a single statement it can't be passed as an argument. To get a mixed case string [a-zA-Z] I further hack into it with value = ""; 8.times{value <<...