Wondering whether it matters if a salt is unique for a single given user each time the password is changed, or whether it's not a big deal to reuse the same salt each time. I currently generate a new random string as the salt each time a given user updates the password. This way each time the user has a new password their is also a salt...
I have created a little password generation script. I'm curious to what improvements can be made for it except input error handling, usage information etc. It's the core functionality I'm interested in seeing improvements upon. This is what it does (and what I like it to do): Keep it easy to change which Lowercase characters (L), Uppe...
UPDATE: I solved the problem myself and the answer is below. Carry on... I have a form for updating your account using PHP and mySQL. On submit, it assigns all of the $_POST variables to the new user() object, and then does an update() method on the user object which runs an UPDATE query in SQL. The form obviously defaults to all of th...
Hi! I am using the acegi groovy plugin for user registration and authentication. The User domain class which comes with the plug-in has the following definition (and comments). class User { static transients = ['pass'] static hasMany = [authorities: Role] static belongsTo = Role /** Username */ String username /** User Real Name*/ Stri...
I've decided to implement a user login using a per-user salt, stored in the database. The salt is prefixed to a password which is hashed with SHA and stored in the databse. In the past when I wasn't using a salt I would use the typical method of counting the number of rows returned by a query using the user inputted username and passwo...
I've read several stackoverflow posts about this topic, particularly this one: http://stackoverflow.com/questions/401656/secure-hash-and-salt-for-php-passwords but I still have a few questions, I need some clarification, please let me know if the following statements are true and explain your comments: If someone has access to your d...
Hi there, I have come across a problem with binding to a passwordbox. It seems its a security risk but i am using the MVVM pattern so i wish to bypass this. I found some interesting code here (has anyone used this? or something similar?) http://www.wpftutorial.net/PasswordBox.html It technically looks great, but i am unsure how to ret...
Passwords have lots of downsides but they remain the only technically straightforward way of giving some authentication to users. Lets talk hypothetically about an education-type system. Lots of people with passwords, lots of people forgetting their password regularly, lots of CS students and others trying to brute others passwords act...
I'm implementing a password + password hint code I and want to prevent the user from making the password hint reveal the actual password right away. Here are the scenario that I want to prevent: Lets say that the password is: foobar123 Then the password hint can't be: "foobar123" "The password is: foobar123" "f-o-o-b-a-r-1-2-3"...
For example, if the user has JavaScript enabled, we send hash his password and send the hash. If not, we send the password unhashed and a flag to mark that it is unhashed. We then build the hash (if it's unhashed) and compare it to the stored hash. This seems to be secure and simple. Why isn't it a popular way to send a password? Did I ...
I need to create a .VBS script to reset the Windows local administrator password on a large group of computers. My problem is that some of our sites have renamed the administrator account for security reasons. Does anyone have a script which changes the password of the administrator account based on the SID of the original Administrato...
I'm getting a similar error to this post http://stackoverflow.com/questions/1475128/ruby-on-rails-authlogic-password-not-valid "Password is not valid" which never seemed to be resolved in the script/console if I create a new user: myval = "[email protected]" u = User.create(:email => myval, :password => myval, :password_confirmation => m...
I'm transferring users from my old database to a vBulletin database. I want a script to do this as it'll take forever otherwise. I have all the user's passwords stored just like md5(password) But of course, this doesn't work with vBulletin due to salts etc. So my code is this: <?Php mydatabase_connect(); $select=mysql_query("SELECT ...
I've got a Users table and the HashedPassword column is of the binary(16) type. It's used to store an MD5 hash. To generate the hash I created a couple of stored procedures: CreateUser, EditUser and LoginUser. They have a parameter that accepts a password in plaintext, convert it to the MD5 hash and store/lookup the hash in the table. T...
Modern browsers save passwords. Which criteria affect this decision? Background: I have a registration page with the following form: <form action="/BlaBla/Account/Register" method="post"> <div> <fieldset> <legend>Account Information</legend> <p> <label for="username"> ...
A hypothetical situation: you've implemented a password handling system, and it doesn't impose any limitations at all on what characters can be used. You want to set up some rules that are a reasonable compromise between two things - Allow the user as much freedom as possible. Allow for the possibility that you may change how you handl...
I'm trying to make a "normal" username/password login form secure, without needing HTTPS. My idea is this: Server generates a keypair for some kind of assymetric encryption algorithm. It stores this keypair in a temporary table of sorts (or perhaps the local session data). Server sends the form to the client and includes the public key...
Is there a built in username/password dialog box in Cocoa? I don't want to reinvent this if there's a standard way of doing it, but after googling, I came up with nothing. I often see that lock image with the application image superimposed on it, so I thought there might be something. ...
Is there a best practice way to store username and password on the iPhone? I am looking for something that is obviously secure but will also keep the info between app updates. ...
Hello All: Can somebody tell me how to protect an application using password. I mean suppose I start an application (say uTorrent) then I want to provide a password so that nobody can close it or change any thing without password. Thanks Ashwani ...