passwords

autocomplete user/password in firefox

Hi, I've created a login submit form in HTML but for some reason user/password autocompletion does not work like I expect in firefox. This is what happens in Firefox: I give username and password and click on the login button Firefox prompts me if I would like to remember the password. I press 'remember' and login works. (I made sure...

How do I prevent passwords from being saved?

I've noticed on bank websites, etc, my user IDs aren't saved (they don't appear in a dropdown like other commonly entered stuff does) and there's no prompt for it to remember your password. How is this done? How do the sites notify the browser that they are in 'special' or else exceptions? Just curious. ...

What function to use to hash passwords in MySQL?

I have a user table in my mysql database that has a password column. Currently, I use the MD5 algorithm to hash the users' password for storage in the database. Now I like to think that I am a security conscience person. I noticed while reading the MySQL docs that they don't recommend MD5 or the SHA/SHA1 hashing methods, but don't offer ...

Why are banking passwords so weak?

Out of interest and because it infuriates me, I was wondering if SOmebody here might happen to work for a bank or otherwise know the answer to this. I've used a few online banking sites (UK and N.America) and they universally enforce a password pattern of /[\w\d]{6,8}/ Sometimes, maybe you get to use underscore, but never ever do you ge...

What is the maximum password length in Subversion?

If I am storing the Subversion user names and passwords for repository access in a text file in the conf folder, what is the maximum length of the passwords I can use? That is to say, how long can the secrets in the following file be? [users] harry = harryssecret sally = sallyssecret ...

What are your suggestions for storing AWS authentication data?

Scenario: a web application written in PHP utilizes an Amazon Web Service and must keep the Access Key ID and a Secret Access Key handy in order to function. Are there current recommendations and/or API's out there for storing this data securely? My thought is to symmetrically encrypt it into a file based on a key created from local se...

Passing credentials between sites

I am running two different sites on two different servers with two different domains. One site is running Joomla, the other Moodle. I have configured the Moodle server to base its authentication on the users table on the Joomla site, so we have an authoritative source of user information. What I'd like to do is this: after someone signs...

Changing Mac OS X User Password Programmatically or via Script

I need to be able to change a user's password from a cron task or from an ssh session. Is there an easy way to do that with a bash script? If not, what's the easiest way to do it in Cocoa? ...

I18n and Passwords that aren't US-ASCII, Latin1, or Win1252

How do you handle passwords for services when the user enters something that is best represented in Unicode or some other non-Latin character encoding? Specifically, can you use a Cyrillic password as a password to Oracle? What do you do to verify a user's password against a Windows authentication mechanism if the password is provided a...

Multiple password forms + password completion

On a website I'm working we have an onsite login and a private login, the problem I'm having is that Firefox doesn't seem to be able to differentiate between these login forms. Does anybody know how I can make clear that these are different logins? I already tried giving the form fields different names and ids, ex: onsite_login and log...

What are the best rules to follow for what characters to allow in a password?

Without thinking about it at all I just want to say I should allow every character. It gets hashed in any case, and I don't want to limit people who want to create strong passwords. However, thinking about it more, there are plenty of characters that I have no idea what effect they'd have on things. Foreign characters, ascii symbols, ...

Django: How do I use the built in password reset/change views with my own templates.

For example I can point the url '^/accounts/password/reset/$' to django.contrib.auth.views.password_reset with my template filename in the context but I think need to send more context details. I need to know exactly what context to add for each of the password reset & change views. Thanks. ...

how do you compute password complexity ?

See also What is the best way to check the strength of a password? Some applications (or websites) compute a password complexity when you type it. They typically display a red bar which turn orange, then green, then even greener as your password get longer, and contains more classes of characters (ie lowercase,uppercase, punctuation, di...

Cross-browser techniques for disabling password caching

Saving and auto-filing of username/password is a feature of most modern browsers. And the user can generally choose to disable this feature on a per domain basis. But is there a standard way for the site itself to prevent password caching? The emphasis here is cross-browser, so I would employ multiple parallel mechanisms if necessary. ...

a "forgot user password" standard class or script in php/mysql environment?

Hi, I am hoping that there is a standard class/php script that we can use for the "forgot password" functionality. It seems almost every website has one, and I'd like to reduce the development time on it. It appears that a common approach is: 1) click on Forgot password 2) User receives via email a "reset password" link 3) Click on th...

How can I let users run a script with root permissions?

Given the dangers of SUID shell scripts, is there a more secure way of giving passwordless access to scripts (bash, PHP) with root permissions in Linux? (Ubuntu 8.10) ...

Secure hash and salt for PHP passwords

It is currently said that MD5 is partially unsafe. Taking this into consideration, I'd like to know which mechanism to use for password protection. Is “double hashing” a password less secure than just hashing it once? Suggests that hashing multiple times may be a good idea. How to implement password protection for individual files? Sug...

Best practices/algorithm/approach for implementing temporary transaction password for banking/financial website.

What are the best practices for implementing temporary transaction password feature for website? For e.g in banking/finance scenarios like - While transfering funds from one account to another, a transaction password is required - While commiting a trade, a transaction password is required - etc. The password should be temporary and ti...

How are web site passwords encrypted by browsers?

What are some platform-specific API's that web browsers use to securely save passwords with reversible encryption on local systems? Since they must be able to reproduce the exact characters to pass up to a web site, the data can't be a one-way hash. My initial thought is there are system methods which utilize your current authenticatio...

Why do web applications insist on defining strict password rules?

You've all encountered the various websites that force you to have a password that is 6 characters long, must have 1 number, and must rhyme with 'annoying.' Obviously there are legacy reasons why sometimes this is necessary but other times it's all for security. I find that it's rather annoying because I have a standard set of passwords...