passwords

I created a script outside of Joomla that can successfully generate a Joomla password: // I copied the JUserHelper class from Joomla here $salt = JUserHelper::genRandomPassword(32); $crypt = JUserHelper::getCryptedPassword($password, $salt); $psw = $crypt.':'.$salt; My question is, how can I compare this new crypt:salt I generate above to a password of an existing user in the Joomla database, and know if the password supplied to the script above is the correct password for that user in the database? One way would be to query the Joomla database directly to get a user's (salted and hashed)

I am writing a Java program to log into the website my school uses to post grades. This is the url of the login form: https://ma-andover.myfollett.com/aspen/logon.do This is the HTML of the login form: <form name="logonForm" method="post" action="/aspen/logon.do" autocomplete="off"><div><input type="hidden" name="org.apache.struts.taglib.html.TOKEN" value="30883f4c7e25a014d0446b5251aebd9a"></div> <input type="hidden" id="userEvent" name="userEvent" value="930"> <input type="hidden" id="userParam" name="userParam" value=""> <input type="hidden" id="operationId" name="operationId" value="">

I have been tossing around the question of how to store the passwords in my DB for some time now. This is my first time at making a secure application with a web login, so i wanted to set up some good practices. First, i read up on hashing and salting. It seems that the idea is... Get hashing algorithm Get password from user Add 'salt' to plain text password from user hash the entire password (including salt) Store the salt in the db so that you can retrieve it later (for verification of PSWD) And that got me thinking... If a hacker knows your salt (because it is stored in the DB somewhere,

There are many discussions about security risk for saving hash password in cookies, as upon accessing to the user's computer, a hacker can log in with the saved password. If a hacker has access to the user's computer, he can catch the password, as browsers also save passwords locally (encrypted of course). What is the difference between password set in cookies with that saved by the browser? For obvious reason, a temporary GUID should be send instead of password. In any case, I believe that limiting access to the logged IP can close doors for attackers to use locally saved GUID. Of course, it

Most services, programs, etc. have various password complexity checks. Without delving into the efficacy of such checks , I thought of one that might be interesting, but also potentially problematic check: "The new password must be Y characters different from the last X passwords." This would prevent people from using passwords like Password1! , Password2! , and so on. But if that's done, one cannot hash the previously used password - they would be at best encrypted... Right? For a small Y and a fairly short password, you could probably still store the hash and bruteforce all Y letter