What is the best way to handle user account management in a system, without having your employees who have access to a database, to have access to the accounts. Examples: Storing username/password in the database. This is a bad idea because anyone that has access to a database can see the username and password. And hence use it. Sto...
I'm writing a web application that I want to be able to use forms authentication pointing to a SQL database, or use integrated authentication in different installations of the web app. I'm authenticating users just fine with either provider but I have a question on how to architect my database. Currently what I'm doing is using the cod...
This is a call for suggestions and even possible solutions. I haven't been at a company that really seemed to get credential management 'right'. I've seen excel/word documents and even post-it note 'solutions'. But my main question is what is the right way to do it? I have initially thought it would revolve around KeePass a bit, but h...
My university doesn't support the POST cgi method (I know, it's crazy), and I was hoping to be able to have a system where a user can have a username and password and log in securely. Is this even possible? If it's not, how would you do it with POST? Just out of curiosity. Cheers! ...
I'm looking for a python library that will help me to create an authentication method for a desktop app I'm writing. I have found several method in web framework such as django or turbogears. I just want a kind of username-password association stored into a local file. I can write it by myself, but I'm really it already exists and will ...
We are changing our remote log-in security process at my workplace, and we are concerned that the new system does not use multi-factor authentication as the old one did. (We had been using RSA key-fobs, but they are being replaced due to cost.) The new system is an anti-phishing image system which has been misunderstood to be a two-facto...
I'm writing a web app that will be distributed and I want to allow the installer to choose between using Integrated Authentication, or FBA. Switching between those with web.config is obviously very easy. I'm trying to decide how best to architect the database and code to accept either a windows-sid or a UserID from the aspnetdb. For e...
What is the easiest way to manage the authorized_keys file for openssh across a large number of hosts? If I need to add or revoke a new key to an account on 10 hosts say, I must login and add the public key manually, or through a clumsy shell script, which is time consuming. Ideally there would be a central database linking keys to acc...
Hi, I'm having trouble granting privileges to another user in PostgreSQL 8.3. While the GRANT command gives me no error, the privileges do not show up. Do I need to "flush" them? sirprize=# CREATE DATABASE testdb; CREATE DATABASE sirprize=# GRANT ALL PRIVILEGES ON DATABASE testdb TO testuser; GRANT sirprize=# \c testdb You are now conne...
I need to create a custom membership user and provider for an ASP.NET mvc app and I'm looking to use TDD. I have created a User class which inherits from the MembershipUser class, but when I try to test it I get an error that I can't figure out. How do I give it a valid provider name? Do I just need to add it to web.config? But I'm n...
I'm looking for an open source package written in java that implements a registration, authentication (like securityfilter) with captchas and email link verification and all that. I could write it, but why reinvent the wheel. I've looked all over the place and haven't found anything. Does such a thing exist? ...
How would you implement a system with the following objectives: Manage authentication, authorization for hundreds of thousands of existing users currently tightly integrated with a 3rd party vendor's application (We want to bust these users out into something we manage and make our apps work against it, plus our 3rd party vendors work ...
So far I can only find a name:password authentication mechanism in the TypePad API, has anyone seen/used an Auth token mechanism for TypePad like Google's or Flickr's, I thought it might be TypeKey but I've pulled a dry hole on that front as well. ...
Say I have the following web.config: <?xml version="1.0" encoding="utf-8"?> <configuration> <system.web> <authentication mode="Windows"></authentication> </system.web> </configuration> Using ASP.NET C#, how can I detect the Mode value of the Authentication tag? ...
I have a SQL Server 2000, C# & ASP.net web app. We want to control access to it by using Active Directory groups. I can get authentication to work if the group I put in is a 'Global' but not if the group is 'Universal'. How can I make this work with 'Universal' groups an well? Here's my authorization block: <authorization> <all...
I have a Google App Engine app - http://mylovelyapp.appspot.com/ It has a page - mylovelypage For the moment, the page just does self.response.out.write('OK') If I run the following Python at my computer: import urllib2 f = urllib2.urlopen("http://mylovelyapp.appspot.com/mylovelypage") s = f.read() print s f.close() it prints "OK" ...
Here is the situation I'd like to create: www.blah.com/priv - protected by Apache HTTP Basic Auth, realm "foo" www.blah.com/application - protected by Tomcat/Servlet HTTP Basic Auth, realm "foo" User access /priv, apache requests login info, they provide and are given access Same user then requests /application. Since they have authen...
From Wired magazine: ...the Palin hack didn't require any real skill. Instead, the hacker simply reset Palin's password using her birthdate, ZIP code and information about where she met her spouse -- the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search. We cannot ...
We all know that security questions suck, but still they're often used as the authentication of last resort to reset forgotten passwords. What are some secure and unsecure ones you've used or seen? Use community owned answers for voting. Up-vote secure questions. Down-vote unsecure questions. Explain in comments. ...
I'm about to put a beta version of the site I'm working on up on the web. It needs to have a beta code to restrict access. The site is written in django. I don't want to change the fundamental Auth system to accommodate a beta code, and I don't care particularly that the security of the beta code is iron-clad, just that it's a significa...