passwords

How to store and verify digits chosen at random from a PIN/Password

If I have a users 6 digit PIN (or n char string) and I wish to verify say 3 digits chosen at random from the PIN (or x chars) as part of a 'login' procedure, how would I store the PIN in a database or some encrypted/hashed version of the PIN in such a way that I could verify the users identity? Thoughts: Store the PIN in a reversible ...

How to avoid key-loggers when authenticating access

As per the title really, just what can be done to defeat key/keystroke logging when authenticating access? I have just posted a related question (how-to-store-and-verify-digits-chosen-at-random-from-a-pin-password) asking for advice for choosing random digits from a PIN/password. What other reasonably unobtrusive methods might there be?...

Does using the default ActiveDirectoryMembershipProvier.ChangePassword method alert the PCNS?

We've got a Identity Lifecycle Management 2007 Feature Pack 1 server setup that is syncing our student email accounts with live@edu. We want to allow the students to change their password via the web. When I use the default "ChangePassword" method inside of the ActiveDirectoryMembershipProvider, it does not trigger the password event t...

jQuery password strength plugin: Retrieving password's strength.

Hi, I'm working on a legacy groovy project that uses jQuery's password strength validator plugin. It works great. However, a new requirement arrived today, indicating that the form should not be submited if the strength of the password is below good (this is an arbitrary value) Is there any way to achieve this? Possibly via javascript?...

Prevent A User From Downloading Files from Python?

Hello. I am working on a project that requires password protected downloading, but I'm not exactly sure how to implement that. If the target file has a specific extension (.exe, .mp3, .mp4, etc), I want to prompt the user for a username and password. Any ideas on this? I am using Python 26 on Windows XP. ...

MPPE - Forcing strong passwords enough to make PPTP secure?

The title pretty much says it all. Note I'm talking about MS-CHAP v2, not v1. Also using EAP-TLS is not an option (that's why I'm asking this.) ...

Retrieve username/password from browser using javascript

Hi, My web server has authentication enabled. When I access my web server i get a pop-up from browser for username and password. After logged in, I want to retrieve the username from the browser using javascript. I am not using any kind of form to get the username/password. So, I am not setting any cookies also. Can we use DOM method ...

Password hint font in Android

When an EditText is in password mode, it seems that the hint is shown in a different font (courrier?). How can I avoid this? I would like the hint to appear in the same font that when the EditText is not in password mode. My current xml: <EditText android:hint="@string/edt_password_hint" android:layout_width="fill_parent" android:layo...

Hide password on desktop application code

Hi, I have a desktop application developed in C#.NET, with an encrypted database. The encryption password is hard coded in the application code. How can I hide this password, since the code can be accessed through a .net disassembler? Maybe obfuscate the code could be a solution, but how do I create a setup for the application with t...

Proper password storage and retrieval for service accounts?

Most of the information that I found and read about properly storing passwords in a database say that I should Hash the password clear text with a unique salt value for each user and then store that hash in the database. But this process doesn't work for my needs... I have a windows service written in C# that needs to connect to other r...

visual jquery rule-based password indicator

Hi all, I am looking for a jquery plugin that does the following When click on a text box, a div pop up next to it with all rules about a password As user type along, each rules that is passed get a check mark beside them popup disappears when the text box lose focus I am seeing a lot of password strength indicator that shows a gene...

Java Console; readPassword, how does an array protect from determining the password value?

I was reading about the java.io.Console class in one of the java certification books, possibly I've missed something fundamental from a previous chapter, but can someone explain the below? It mentions, that the readPassword method returns a character array instead of a String, to prevent a potential hacker from finding this String and t...

Brute force a confirmation code?

I have a site and for a user to reset this account a confirmation code is email to them, however, after talking it over, it seems this could be a huge security hole. I'd like to make a small app that I can use and show my boss how unsafe the site is. Basically, the code's length is 12 characters with the last 4 being fixed and it only u...

Inno Setup: How to create password wizard page only if component "X" selected

Hi! Can anyone help me to protect a selection group or component. For examples If ('Readme.txt').selected or ('compact').selected = True then begin "Password wizard page"; else result := true; end; Something like that to this working script :P function CheckPassword(Password: String): Boolean; begin result := false; if (Password=...

Which encoding for storing decodable passwords?

I'm building a web service which takes credentials for other services and polls these on the users behalf. Ie - consider an email aggregation service - polls your accounts at various different email providers, and collates them in a single list. In this scenario, passwords provided by the user must be able to be decrypted by the webapp...

Apache protect all paths but whitelist a specific path

Below is my VHost (which is slightly modified to obscure some URLS): 1 NameVirtualHost 192.168.1.49:80 2 3 <VirtualHost 192.168.1.49:80> 4 ServerName internal-name.local 5 ServerAlias *.internal-name.local external-domain.co.uk *.external-domain.co.uk 6 7 <Directory "/var/www/html"> 8 AllowOverride All 9 10...

Does my PHP security algorithm effectively store user credentials?

This question is about a specific programming problem I am having - I want to make sure that my code (and software algorithm) are sufficient enough to store user credentials in a database. // Get a 32 character salt like '69Mt6nexL1rsjWnu011S53MpB/WmT4Vl' $passwordSalt = Security::generateBase64Salt(); $user = new User(); $user->setUse...

PHP/MySQL Secure Login & Sessions

I have a login service to my current website and what I was wondering is - is there any particular method you could call the MOST Secure? Allow me to explain my system a little better: I currently have a PHP MySQL database with a users table. The username and password are both stored as VARCHAR (not the best for passwords I know). On ...

Secure way to do password retrieval/resetting?

Before I begin, my reason for not using OAuth is I believe it is not really something we should be using on this project, we're targeting a platform that will be packaged and resold to companies, which connect to their own set of uses that we really don't want to have accounts that we are not %100 in control of, we don't want it to be a ...

Is it a security risk to use parts of GUID as a random passwords?

When users create an account in my web application, I generate a GUID and use the first 8 characters as their password which is then sent via email. Is there a security risk I am overlooking in using GUIDs as passwords? I've taken a look at the questionAre GUIDs good passwords?, but that question pertains to personal passwords not rando...