I'm looking for studies on the security effect of frequent password changes, looking at the security benefits / problems from having a mandatory password change every one or two months or similar. Does anyone know of any? ...
I'm writing a self service password reset system in c#, .Net 3.5 - one of the things that I need to do is allow users to authenticate with an expired password and give them the ability to change it. Can you, using the System.DirectoryServices or System.DirectoryServices.AccountManagement namespaces validate an expired password? Is ther...
I have a list of passwords that I need to examine and determine if they meet the default 3 of 4 rule for AD. Rule is contain 3 of the 4 following requirements: lower case character (a-z) upper case character (A-Z) numeric (0-9) special character ( !@#$%^&()+= ) I am still learning Regex. I know how to select only those that meet any...
All, Sorry in advance - I'm a novice in most of the topics below (SQL, ASP). Anyway... I've got a pretty simple web app that requires users to log in with a user name and password. The front end creates a salted SHA1 hash of the password, and posts it (along with the user's name) to an ASP page. That ASP page takes the data, calls a...
I think what I am about to ask is impossible, however, figured it was worth a shot here. We have an application that makes use of SQL Servers PWDEncrypt and PWDCompare functions. Part of the system creates duplicates of users (same logon and password). Due to a bug in the system, instead of copying the binary stored PWDEncrypt of a pas...
I don't claim to be an expert in security but it seems to me that adding a salt doesn't really make a huge difference. For example, if the password of the user is john1970 and the salt is 123456, this means that the password is 123456john1970, while this makes things harder for an attacker (if using a dictionary attack, e.g. rainbow tab...
I know about passwd(1) and crypt(3). What I'm looking for is a C API to call which will set the user's password in the passwd/shadow files, without having to programatically walk the files and overwrite the entry for the user in question. Application runs as root. Does such an API exist? EDIT: Guess I should specify, the password is...
I am possibly taking over an app that literally just encrypts user passwords by doing md5( password ) They have ~2000 users to date, so I'm wondering how I can migrate those passwords (or can I?) to a stronger encryption schema (e.g. involving a salt, user-specific hash, and their password, all encrypted with sha1, bcrypt, whatever) Th...
We have to automatically import a large list of users with some data into a running system. For an initial password I want to update the list (csv format at the moment) with a random alphanumeric key (8 digits). When inserting it with a special routine (which needs a csv file), the password (in this case the alphanumeric key) is stored ...
Some time ago I joined new project. It was under development for quite a long time. The thing that surprised me was that all users' passwords are stored in non-encrypted form. I explained huge security vulnerabilities of this to our management - it looks like they agree with that and want to make project more secure. Team members agree ...
An article that I stumbled upon here in SO provided links to other articles which in turn provided links to even more articles etc. And in the end I was left completely stumped - so what is the best way to store passwords in the DB? From what I can put together you should: Use a long (at least 128 fully random bits) salt, which is sto...
How can i get the password for a user from Active Directory ...
I'm using emacs tramp mode to remotely edit files over ssh. The problem is that every time I save the file I'm editing I have to enter my user password. I find that very annoying. How can I write my password only once / editing session? ...
I was doing a little research or googling for different methods of handling password hashing and salting and came across this interesting link: http://phix.me/salt/ Now, essentially what this proposes is the creation of two user functions, one for hashing and one for checking the hash. The salt is pseudo random but is in actual fact ...
This is a question about salting phrases that need to be hashed. I was wondering if it more secure to prefix the salt to a phrase or postfix it? salt + phrase or phrase + salt My question comes from this comment on this post on MD5s. I am not sure I understand the reasoning behind the author's comment. ...
I am trying to understand how encrypted ("password protected") Office 2007 documents are bundled (specifically, Excel documents). I am experimenting with a known, password protected spread sheet. When I unzip the XLSX file, I encounter three entries: [6]DataSpaces (Directory) EncryptionInfo (File) EncryptedPackage (File) How is the ...
I'm writing an application that will create "difficult" passwords for the user. The user will only see the password once, and they'll copy it into a client that will remember it for them forever. Works great on a full-fledged PC, where I can select the whole password while it's on display in the browser, then paste it into the client t...
I need to encrypt / decrypt passwords for a new application. The spec requires me to use AES; can anyone suggest a good reason to either Do all my encryption in the database layer using CLR functions or Doing it at the .Net app layer ? a mixture of db and server Am going to be validation passwords; the app is n-tiered using Telerik O...
I'm writing a suite of applications that all require login to a server. It's come together quite nicely, but I've run into a logistic snag. The nature of the applications require that they be closed and launched again later with some frequency. It is very annoying to have to login every time one of the applications needs to launch. I'm ...
I'm working on a project in which remote clients need to log in to a webserver. I'm not looking for examples in any particular language; just a general idea of the security concerns involved. The basic question is: How should user credentials be passed to a webserver for verification? I'm picturing your typical website login. One field...