passwords

Storing Password in Databases in plain text vs Customer Needs

I want to call "storing a password in plain text in a Database" a bad pratice... but our customer did this in his Application. They want me to renew that Application. My point: I want to change this...but since it is not a need for our Customer it is still unclear. How do you handle such issues regarding security? From my point of view...

Getting a password in C without using getpass (3)?

I could use getpass() to get a password. However, the man page says: This function is obsolete. Do not use it. What is the current way to get a password from the user's terminal without echoing it, in a POSIX-compliant way? [Originally I said "portably", but my intention was to avoid using an obsolete function.] ...

Why are plain text passwords bad, and how do I convince my boss that his treasured websites are in jeopardy?

I've always been of the impression that storing passwords in a database as plain text is (as someone else here put it) a Very Bad Thing™. Historically, most of our server-side coding needs have been contracted out to a group of programmers. They store passwords in MySQL databases in plain text. As the resident code monkey (incidentall...

How would you add salt to your existing password hashes?

I have a database of hashed passwords that had no salt added before they were hashed. I want to add salt to new passwords. Obviously I can't re-hash the existing ones. How would you migrate to a new hashing system? ...

Storing passwords for batch jobs

I have a little java prog that uses a webservice which needs authorization. So the java prog (which is to be run using windows task scheduler) needs to have a user/password argument. How can I store these somewhere without having them laying around in a file as plaintext? So far I've tried using runtime.getRuntime and CACLS to have a ...

.net non ascii username passwords

Hi, in my web site (c# & sql server) i am trying to enable non ascii username and passwords, (username and password columns are set to NvarChar ) what would be the best aproach to achive this? ...

How to handle passwords for i.e. databases or ftp servers in an application

Possible Duplicate: Ways around putting a password in code If you create an application that for example connects to a database or an ftp server it needs a username and a password. How do you recommend storing this? First and easiest option is of course as plain text in the application, but then I guess it would be quite clear...

Are there any known standards or security flaws in password-protected ZIP files?

Just like the title says. I was hoping someone could direct me to documents/resources that show how to encrypt a zip file such that most (if not all) 3rd-party apps can open it. I'm more interested in the security aspect rather than how to do it - any knowledge is welcome. This is to casually protect files on my work computer (and net...

How do I generate a common hash from multiple passwords?

I've got an app that generates a hash off of a user password, which I then use to encrypt data with. I want to extend this to the case where any 2 out of 5 users need to authenticate the app before it has enough data to generate that hash. The problem I've got is I need to generate the exact same hash no matter which 2 of the 5 users au...

IIS7 - Password Protect Development Server

Hi, I have a development server running IIS 7.0 with an ASP.NET MVC Web Application, that authenticates using Forms Authentication/Membership. I need to be able to prevent unauthorized users from viewing this site. Our customers however should be able to enter a simple username/password to gain access. After they do so, they should ...

Why do so many sites disallow the use of non-alphanumeric characters in passwords?

When going through registration, a lot of sites will disallow the use of symbols in passwords. This drives me up the wall from a usability perspective since I include multiple symbols in all my passwords, and as a programmer that deals with web authentication from time to time, I can't figure out why it wouldn't be allowed. Am I missing ...

struts2 password confirm validation

i have two fields 1)password 2)confirm password and want to perform validation that both fields are the same............and want client side validation plz help ...

Comparing hashes when entering Excel password

Hi everyone, here's my problem: User inputs a password in the Options section of the program. The password is hashed (MD5) and stored in the registry. The program is ran, an Excel spreadsheet is created, and password protected using the hashed value that is stored in the registry. The user opens the spreadsheet, and is prompted to ente...

JDBCRealm digest for MySQL PASSWORD() function

For an internal Tomcat/Java/Struts application, we're converting custom-written authentication code to use JDBCRealm. The database is MySQL 5.0, and the passwords are stored as PASSWORD()-encrypted strings. In our version of MySQL, the PASSWORD() function is a non-standard (proprietary?) 41-byte hash. (I know now that we shouldn't be ...

Password handling best practices?

We have a number of network services and web-apps authenticating users differently, some with different password requirements for very bad technical reasons. For example, one system refused $ signs until someone "fixed" the string handling in some Perl scripts. Another system appears to parse @ signs in passwords. Another system issues u...

Are algorithms for constantly changing passwords an inherently bad idea?

I've always wondered why websites don't offer a "variable password" option, in which a user's password is constantly changing based on the day of the week or time of the day. e.g. "my password is 'foo' followed by the current hour of the day, always expressed as two digits". I understand basic security 101, the need for trapdoor functi...

Hashing passwords for on-disk storage (More details inside)

I need to store hashes of passwords on disk. I am not entirely sure which hash function to use (they all seem somewhat troubled at the moment), but I am leaning towards SHA-256. My plan is to take the user's password and combine it with their user ID, a random user-specific salt, and a universal site-wide salt. Should I concatenate thes...

Excel VBA - Password prompt after Form Show and Import Data

I have this macro that is password protected and shows a form. Recently I added code to import data from excel and every time I close it asks me for a password - I can cancel through it but I'd like to make it go away, I see no plausible reason why it would come. I've separated out the few lines that causes this problem Sub a() U...

Can I use an already MD5 encoded password in Digest Authentication

I have MD5 hashes of passwords in a database that I want to use against HTTP AUTH DIGEST. But in reading the docs, it looks like the digest hash contains a hash of the username,realm and plaintext password. Is there any way to use the MD5 hash of the password in this situation? ...

Excel password removal

We receive Excel workbook files every day which are password protected with the same password. We know this password. Is there a utility or method to remove password protection on these workbook files without invoking Excel.exe or the Excel object. Our goal is to take Excel out of the process and utilize SpreadsheetGear in VB.net. Ho...