passwords

PHP Registration: Auto-generate password or let user choose it

During registration, I'm debating how I should set user password: Let the user choose it. If i do this, I have to enforce some standards (length, weakness, may involve regexes, etc.) What do you normally do when you choose this way and why? Is there a library available for PHP for this? Auto-generate the password for the user and email...

Does Rijndael always throw an exception if the password isn't correct?

I'm using Rijndael to encrypt/decrypt some sensitive images that will be used on some documents. I'm trying to be absolutely sure that the password provided works and that, by some quirk of fate, an incorrect password will result in a corrupted image that ends up on the document. If I don't catch it before this point, lots of documents...

IIS7 Simple http authentication

I've seen this question before but can't find a good answer for it. I have an ASP.NET website using formsauthentication, it has some anonymous and protected parts. Now I publish this on a development machine connected to the internet, I only want testers to have access to this website. So outsiders cannot see anything of the website, no...

SHA512 vs. Blowfish and Bcrypt

I'm looking at hashing algorithms, but couldn't find an answer. Bcrypt uses Blowfish Blowfish is better than MD5 Q: but is Blowfish better than SHA512? Thanks.. Update: I want to clarify that I understand the difference between hashing and encryption. What prompted me to ask the question this way is this article, where the autho...

Is it safe to store (hashed) passwords in a cookie?

I've read some articles and questions on SO (e.g. here) that say you shouldn't store a user's password in a cookie. If the password is salted and hashed, why is this insecure? In particular, why is it less secure than using sessions, the alternative usually suggested? If the user wants to stay logged in then surely this new cookie (with...

(.NET) Easy way to generate random, easy to remember passcodes

I have a project in the works, and I'll need to associate a passcode with an item. The password should be completely non sequential or easily guessable, yet simple to remember. I thought about doing something like this. string rand = System.Guid.NewGuid().ToString(); rand.Substring(0,3); Return the first 4 digits of a GUID. I was wo...

JQuery How-strong-is-your-password bar

Is there a jQuery project out there, that create on of these "Password-strength-meters" right by a password box and updates the strength-bar when something is typed into the field? Do you know any good ones? ...

Help me make my password storage safe

How much more safer is this than just md5? I've just started look into password security. Im pretty new with php. $salt = 'csdnfgksdgojnmfnb'; $password = md5($salt.$_POST['password']); $result = mysql_query("SELECT id FROM users WHERE username = '".mysql_real_escape_string($_POST['username'])."' ...

How to send password securely over HTTP?

If on a login screen user submits a form with his username and password, the password is sent in plain text (even with POST, correct me if I am wrong). So the question is what is the right way to protect the user and his password against the third party who might be eavesdropping on the communication data? I am aware that HTTPS is aso...

Is the password weak under dictionary attack

Thanks for looking. All sincerely helpful answers are voted up. I use a password strength meter to let the user know how strong the password they've chosen is. But this password checker obviously doesn't cover how weak under a dictionary attack the password is. How can I check for that, and is it worth it? Also my regular password ch...

What is safest method to store passwords in a table?

Hi, I am using PHP. I used to use native mysql function password() to store passwords. I was told that password() is not safe anymore. What would be the best method to store passwords in PHP? is it MD5? ...

Asterisk Out Password in HTML (using Ruby on Rails)

I'm a newby at web programming, and even newer to ruby on rails. What is the best way of asterisking out or "hiding" a new password entered by a user? ...

PHP Comand line script to create user passwd

hey all, I'm very new to linux and php so forgive me if this is a dumb question. I need to create a php command line script that will add a user to the system, to be used by the ftp server. I have it set up at this point that it creates the account just fine. The problem I'm facing is that even though I pass through the password when I ...

What is password hashing?

What does it mean to hash a password? ...

Should I allow a 2-char password?

This may sound like a frivolous question, but those in the security field will get it. Should I let the user enter any number of characters as long as it's greater than 0 chars. My logic is: the password is going to be hashed and salted anyway, and it's more fun for someone doing a rainbow table to NOT have any length/other guideline...

C# - Transform text in ListView column into password characters

Is there a ways to transform text that is in a specific column of a listview control into password characters? Thank you. ...

Storing encrypted passwords

My coworker and I are having a fist-fight civilized discussion over password security. Please help us resolve our differences. One of us takes the viewpoint that: Storing passwords encrypted using a public key in addition to a one-way hashed version is OK and might be useful for integration with other authentication systems in the fut...

PHP command-line: How do I read in a typed-in password without displaying the typed chars on the console?

I want to read in a password as part of a command-line script, but do not what the typed password to appear on the screen. This seems to be a fairly common feature in command-line apps, but my Google-fu has failed in identifying how this works. Is it a feature of the OS? Do you have to intercept the input stream somehow so it doesn't wri...

IE not offering to save password of ASP.NET form

Sometimes Microsoft does something so stunningly dumb that it makes my head hurt. Help me find out it's really not the case ... please! I've got an issue with the login page of an ASP.NET (3.5) site I'm developing whereby IE (7 or 8 ... can't bear to open 6) doesn't offer to save the password when a user logs in. I've checked other brow...

Explicitly create cached user/password for SVN

Hi, is there a method for svn to explicitly create the cached name/password settings for a user and doing nothing else ? Name/password settings will be given via a dialog, while svn is probably installed just in the step before. I need that as a step in a workspace installer, which will later make use of svn. Thanks for any help. ...