When supporting a new web app in an enterprise environment, it is often necessary to log in as a specific user in order to diagnose a real or perceived problem they are having. Two opposing issues apply here: Best practice is to use hashed or encrypted passwords, not clear text. Sometimes, there is a third-party SSO (single sign-on) in...
What is the best way to store a user name and password for a Windows Service? The service has to be able to access an MS SQL Server database on a remote machine. We have to support MS SQL Server authentication (mixed mode) instead of NT Authentication. ...
Hello all. We have a current application where user login credentials are stored in a SQL Server DB. These are, basically, stored as a plain text username, a password hash, and an associated salt for this hash. These were all created by built in functions in ASP.NET's membership/role system. Here's a row for a user named 'joe' and a ...
We have a site with personal user information. I need to know best-practices for password management. These are average users - should I impose 'hard' passwords? Is there any disadvantage to using the user's email address as a userid? How should I handle forgotten password requests? Obviously, I can't email them to the user. How should...
I use C#, IIS, ASP.NET, SQL Server. Is there a third-party platform I can easily integrate into my system, to handle password management? It would have to integrate 100% (no OpenID), so that the users would not notice. ...
Is there a way to pass a password to ssh automatically. I would like to automatically ssh to a server without using public key authentication or expect scripts, by somehow getting ssh to read the password from stdin or a file. The reason it has to be that way is that I would like to backup my files to a server using rsync/ssh running as...
bCrypt's javadoc has this code for how to encrypt a password: String pw_hash = BCrypt.hashpw(plain_password, BCrypt.gensalt()); To check whether a plaintext password matches one that has been hashed previously, use the checkpw method: if (BCrypt.checkpw(candidate_password, stored_hash)) System.out.println("It matches"); else ...
I need to get authentication credentials from the users within a Windows script but the classic "first Google result" approach: SET /P USR=Username: SET /P PWD=Password: is less than satisfying, so I was wondering if there's let's say an "equivalent" to HTML's input type="password"? Any comment would be really appreciated, thanks mu...
What is the best way to password protect folder using php without a database or user name but using. Basically I have a page that will list contacts for organization and need to password protect that folder without having account for every user . Just one password that gets changes every so often and distributed to the group. I understa...
I've inherited a web app that I've just discovered stores over 300,000 usernames/passwords in plain text in a SQL Server database. I realize that this is a Very Bad Thing™. Knowing that I'll have to update the login and password update processes to encrypt/decrypt, and with the smallest impact on the rest of the system, what would you ...
When connecting to a network share for which the current user (in my case, a network enabled service user) has no rights, name and password have to be provided. I know how to do this with Win32 functions (the WNet* family from mpr.dll), but would like to do it with .Net (2.0) functionality. What options are available? Maybe some more ...
Is there a way to prompt the user for input during a NAnt build? I want to execute a command that takes a password, but I don't want to put the password into the build script. ...
I have spent several hours trying to find a means of writing a cross platform password prompt in php that hides the password that is input by the user. While this is easily accomplished in Unix environments through the use of stty -echo, I have tried various means of passthru() and system() calls to make windows do the same thing to no ...
For those who are not aware, Lotus Notes is a cool system, which has very powerful database replication abilities, and very strong certificate management and signing. However that strong certificate usage is itself one of Notes's downfalls. When you log in to Lotus Notes via a Notes client, the password you use is not stored anywhere...
I'm installing SVN with Apache 2.2 on windows 2003 everything seems good but when I try to login no username/password works Here is some info I load this module in httpd.conf LoadModule auth_basic_module modules/mod_auth_basic.so and in svnserv.conf i have [general] anon-access=read auth-access=write password-db=passwd authz-db=authz ...
Hi there, I've created a login submit form in HTML but for some reason autocompletion does not work in firefox. This is what happens in Firefox: - I give username and password and click on the login button - Firefox prompts me if I would like to remember the password. I press 'remember' and login works. - I log out and return to the lo...
In an ongoing effort to improve my code I am looking for the best way to create and compare a salted password in .NET. Is there a better, or more secure, way of doing this? My current code is as follows: public static string CreateSaltedPassword(string salt, string password) { SHA1CryptoServiceProvider SHA1 = null; ...
In the small application that I'm currently developing for a customer I need to ask the user for his windows login username, password and domain and then use those with System.Diagnostics.Process.Start to start an application. I have a textbox with UseSystemPasswordChar to mask the entered password. I need a System.Security.SecureStri...
I am developing on a LAMP(erl) stack and know of several ways to store obscured passwords. I'd like to hear from those who feel they have a best practice, given MySQL 4.1.1 and Perl 5.8, and the reasons why it's the best. One option I have read about, using the MySQL ENCODE() and DECODE() functions, sounds pretty good to me... your tho...
The current top-voted to this question states: Another one that's not so much a security issue, although it is security-related, is complete and abject failure to grok the difference between hashing a password and encrypting it. Most commonly found in code where the programmer is trying to provide unsafe "Remind me of my password" fu...