passwords

Should I impose a maximum length on passwords?

I can understand that imposing a minimum length on passwords makes a lot of sense (to save users from themselves), but my bank has a requirement that passwords are between 6 and 8 characters long, and I started wondering... Wouldn't this just make it easier for brute force attacks? (Bad) Does this imply that my password is being stored...

How do you generate passwords?

Random Characters? Passphrases? High Ascii? cat /dev/urandom | strings ...

Protect embedded password

I have a properties file in java, in wich i store all information of my app, like logo image filename, database name,database user and database password. I can store the password encrypted on the properties file. But, the key or passphrase can be read out of the jar using a decompiler. Is there a way to store the db pass in a properties ...

What's a good alternative to security questions?

From Wired magazine: ...the Palin hack didn't require any real skill. Instead, the hacker simply reset Palin's password using her birthdate, ZIP code and information about where she met her spouse -- the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search. We cannot ...

What are some good security questions?

We all know that security questions suck, but still they're often used as the authentication of last resort to reset forgotten passwords. What are some secure and unsecure ones you've used or seen? Use community owned answers for voting. Up-vote secure questions. Down-vote unsecure questions. Explain in comments. ...

How do I remove the passphrase for the SSH key without having to create a new key?

I set a passphrase when creating a new SSH key on my laptop. But, as I realise now, this is quite a PITA when you are trying to commit(git,svn) to a remote location over SSH many times in an hour. One way I can think of is, delete my SSH keys and create new. Is there a way to remove the passphrase, while still keeping the same keys? A...

What algorithm should I use to hash passwords into my database?

Is there anything available that isn't trivially breakable? ...

Where do I find a dictionary for password validation?

I am working on a password validation algorithm that needs to check potential passwords against the dictionary. If the password or any part of it can be found in the dictionary, reject it. The function is easy enough, but where do I get the word list? Is there a web service already out there for looking up words? I have poked around ...

Password encryption in Delphi

I need to store database passwords in a config file. For obvious reasons, I want to encrypt them (preferably with AES). Does anyone know a Delphi implementation that is easy to introduce into an existing project with > 10,000 lines of historically grown (URGH!) source code? Clarification: Easy means adding the unit to the project, addin...

Password composition algorithm

I'm sick of remembering all the passwords for different logins. Lately I found the interesting tool password composer which lets you generate passwords base on the hostname and a secret master password. But I don't want to use a website or installing software to generate my passwords. So I'm looking for a simple one way hashing alogorit...

App to Change Ldap Password for a JIRA/SVN server

I'm setting up a server to offer JIRA and SVN. I figure, I'll use LDAP to keep the identity management simple. So, before I write one.... is there a good app out there to let users change their ldap password? I want something that lets a user authenticate with ldap and update their password. A form with username, old password, new...

What's the difference between SHA and MD5 (in PHP)?

When you're hashing a password (or anything else) in PHP, does it make any difference if you use SHA or MD5? ...

How can I audit passwords in powershell?

I'd like to enumerate domain accounts and try authenticating as each with a limited set of passwords. The issue is that I can't find any way to attempt to validate credentials without "doing" something (e.g. querying wmi with impersonation) which isn't useful as the account may or may not have the ability to connect via wmi in the firs...

Unix shell events?

Is there any way so that i can echo password when asked for in unix shell without use of external binaries ? Something like simple function triggered when password prompt is displayed ...

How do you enforce strong passwords?

There are many techniques to enforce strong passwords on website: Requesting that passwords pass a regex of varying complexity Setting the password autonomously, so that casual users have a strong password Letting passwords expire etc. On the other hands there are drawbacks, because all of them make life less easy for the user, meani...

How to decrypt a password from SQL server?

I have this query in sql server 2000: select pwdencrypt('AAAA') which outputs an encrypted string of 'AAAA': 0x0100CF465B7B12625EF019E157120D58DD46569AC7BF4118455D12625EF019E157120D58DD46569AC7BF4118455D How can I convert (decrypt) the output from its origin (which is 'AAAA')? ...

How does your company do "Enterprise" Password Management?

We've talked about personal password management here but how do you guys manage your passwords at a company wide level? ...

Command Line Password Prompt in PHP

I'm writing a command line tool to help my web app. It needs a password to connect to the service. I'd like the script to show a password prompt so I don't have to pass it as a command line argument. That's easy enough, but I'd like it to not echo the password to the screen as it's typed. How can I do this with PHP? Bonus points for ...

Prevent programmers from knowing passwords used at runtime

My application connects to an FTP server with a username and password. I can create an encryption routine to encrypt and decrypt the password, but anybody with access to the source code and the encrypted password can decrypt the password. Is there an easy way to prevent every human being from knowing the entire password used by an appl...

Pronouncable passwords?

Modules or software solutions for generating English pronounceable passwords? Are there similar modules for other languages? ...