passwords

How to Protect Sensible Passwords stored in a Database

I'm developing a web application for which final users have to create an account. This part is very easy: I'll hash their passwords with SHA-256 so that nobody, except the user himself, knows the password. Now comes the difficult part. After the user creates an account, he/she has to provide the password of his/her email server. Now the ...

iPhone: Is it possible to open a password-protected file using openURL?

Title pretty much says it all. My app has the URL and password for the file myFile.ext, located at: https://myserver.com/stuff.cgi?db=mydb I want to create an NSURL object which, if passed to UIApplication's canOpenURL and openURL methods, will result in appropriate behavior. Is this possible? If so how? And are there security issu...

Storing hashed passwords in MySQL

Hi I'm creating hashed passwords using salted sha1 in PHP. My question is: In MySQL what is the proper character encoding, field type & length to store the result? Is there anything else in MySQL to consider for password security? Finally are SHA256 or SHA512 practical hashing choices? ...

simple authentication scheme

I have an online registry of professionals with about 300 members. These are smart people, but non technical. Currently, if somebody forgets their email address, the system resends it to the email address they registered with. The problem is that people change their email addresses over time, then forget their password, and can't receiv...

Best practices for efficiently storing md5 hashes in mysql

Possible field types: BINARY(16) CHAR(32) BIGINT + BIGINT How do I decide which one to use? ...

What is currently the most secure one-way encryption algorithm?

As many will know, one-way encryption is a handy way to encrypt user passwords in databases. That way, even the administrator of the database cannot know a user's password, but will have to take a password guess, encrypt that with the same algorithm and then compare the result with the encrypted password in the database. This means that ...

Is it safe to store passwords hashed with MD5CryptoServiceProvider in C#?

We are storing hashed passwords in a database table. We prepend each password with a random salt value and hash using MD5CryptoServiceProvider. Is this safe? I have heard MD5 was "broken". If not, can you recommend an alternate hash method to use (specific .NET framework class)? ...

PHP: Allowing Public and private access to files?

I am building a site that is permissions based. The user can add or remove read permissions to the public for pages as well as files. What is the best way to serve files that are protected, using php? I have seen things like www.mysite.com/download?file=filename.jpg or something like that, but I prefer clean paths. Also, if my files ...

2 equal byte[] does not return true

I'm trying to verify someone's password when logging in. I take the entered password and retrieve the users saved hashed password and password salt. Then I hash the entered password with the saved salt to see if it's equal to the saved password. However, even though the byte[] storedPassword is exactly like the byte[] enteredPassword,...

Password protect an entire directory with PHP authentication

I want to password protect an entire directory and authenticate users though a MySQL database using PHP. I know you can password protect directories using .htaccess but I can't seem to find out how to use PHP and MySQL along with that. ...

Secure ways to reset password or to give old password

What is the most secure way to handle forgotten passwords/password resets? Should I email the password to the user? If so do you then force them to reset it? Or do you let them reset it immediately (without sending an email) and require some other information to verify that it is them? Or is there a better method? ...

Validating User Oracle Passwords for Reset application

This is a mix of programming and sysadmin but I decided its more of a programming issue. Currently working building a password management web application for managing Oracle user accounts (C#). The scope calls for verification of the users Oracle username and password before they're allowed to set a new password. Without creating a tab...

sql server 2005 databse password recovery

i have one database in ms sql server 2005. i create this long time back, now want to modify it but i lost the password, i remember the user name for that database, is there any way to recover the password for that database or change its password ? Thanks ...

Password Verification with PBKDF2 in Java

Hi everybody, im doing password based file encryption in Java. Im using AES as the underlying encryption algorithm and PBKDF2WithHmacSHA1 to derive a key from a salt and password combination using the following code(which i got from another generous poster on this site). SecretKeyFactory f = SecretKeyFactory.getInstance("PBKDF2WithHmac...

silverlight username password authentication

I am pass the username and password from my Silverlight 4 app to the a wcf service. On the server side, the binding is setup as follows: NetTcpBinding netTcpBinding = new NetTcpBinding(SecurityMode.Message, true); netTcpBinding.Security.Message.ClientCredentialType = MessageCredentialType.UserName; netTcpBinding.Security.Transport.Clie...

silverlight 4 net tcp binding security

This document talks about how to send username and password from SL4 app to a web service. It assumes that HTTPS will be used for transport. However, I want to use NET TCP because of its speed. Is that possible because another article says net tcp in SL4 does not provide transport level security. If that's incorrect then how do I conve...

Password protected uninstallation using Inno Setup

I am making an installer using Inno Setup. I want to password protect the uninstallation. So my plan is to ask for the uninstallation password during installation, and save it into a file. While uninstalling, ask for the password from user and compare the passwords. I could not find a way to let the user enter the password while uninsta...

How to secure passwords in Android Application

Many of my users have requested a password protection for various data elements in my database. Unfortunately, one of my existing features is backing up the database to a public location (SD Card) for data redundancy, so my database isn't secure. So my question is two-fold. How can I encrypt or secure a database on android? How can...

How to Compare Microsoft Access Password With User-Supplied Password?

Curious as to how to compare a text box string to the password the user used to authenticate themselves when they started the Microsoft Access database. Microsoft Access version is 2003. Users authenticate themselves using Microsoft Access Jet security. UPDATE: Per CesarGon (thank you), this is really a question of comparing hashed val...

Password Confirmation in zend framework

I add this class to library/My/Validate/PasswordConfirmation.php <?php require_once 'Zend/Validate/Abstract.php'; class My_Validate_PasswordConfirmation extends Zend_Validate_Abstract { const NOT_MATCH = 'notMatch'; protected $_messageTemplates = array( self::NOT_MATCH => 'Password confirmation does not match' ); ...