passwords

Is it a bad idea to use an email address as the salt for a password? Archimedix EDIT: Let me refer you to this answer on Security StackExchange which explains a lot of details about password hashing and key derivation. Bottom line: Use a secure established password hashing scheme that is somehow resource-intensive to protect against brute-force attacks, but limit the number of permitted invocations to prevent denial-of-service (DoS) attacks. If your language library has a function for it, verify on upgrades that it does what it is supposed to do, especially if it's PHP. The answer below is

I'd like to create a view model for a new user using the code below. The "User" class contains just the two properties (simplified for now) that I will persist to the database; the view model adds a "compare password" field, which is only used in the view. I'd prefer to have the view model use the "User" class directly, rather than repeating all of the fields defined in "User". My question is how do I properly reference "User.Password" in the [Compare] attribute for the "ComparePassword" field? public class User { [Required] public string UserName { get; set; } [Required] [DisplayName(

I want to use has_secure_password to store encrypted passwords in the database. I can't find on the the internet if has_secure_password uses any form of salting. If it uses salting, how does it works? Can anyone clarify this for me? Thijs has_secure_password uses bcrypt-ruby . bcrypt-ruby automatically handles the storage and generation of salts for you. A typical hash from bcrypt-ruby looks like this: $2a$10$4wXszTTd7ass8j5ZLpK/7.ywXXgDh7XPNmzfIWeZC1dMGpFghd92e . This hash is split internally using the following function: def split_hash(h) _, v, c, mash = h.split('$') return v, c.to_i, h[0,

I am using the JConsole to access my application MBeans and i use the the password.properties file. But as per the Sun's specification this file contains passwords in clear text formats only. com.sun.management.jmxremote.password.file=<someLocation>/password.properties Now i would want to encrypt the password and use it for the JMX user authentication from JConsole (the username and password fields in Remote section). I could use any pre-defined encryption logic or my own encryption algorithms. Does anyone know of any such interception to change the plain text password to encrypted one so that

net website, i would like to implement forget password. I am using following steps Form having input box for login Id and email Id and CAPTCHA when user enter details and submit, at backend after validation new password is generated and replaced old password at database. New passowrd is send to user at email. Please help me whether i am doing right or not? Is there any other secure mechanism for the same? [EDIT] Thanks, i got your reply. Really this is a secure mechanism. But here i have few doubt What message should i shown to user when he enter loginId and email address at forgotten password

I want to secure mysql by setting root password. I reset root password successfully: MariaDB [(none)]> select Host, User, Password from mysql.user; +-----------+------+-------------------------------------------+ | Host | User | Password | +-----------+------+-------------------------------------------+ | localhost | root | *58319282EAB9E38D49CA25844B73DA62C80C2ABC | +-----------+------+-------------------------------------------+ 1 row in set (0.00 sec) But, after flush privileges, restart Mysql, I can still login mysql (on local host) without typing password. root@myhost:/# mysql Welcome to

Have I missed anything? Are there any additional steps storing passwords to the DB? Storing the Password: After as much research on the subject as possible I've come to the conclusion that the best way to store user passwords in a web application DB (in my case MySQL+PHP) is as follows: Assign a sitewide static salt. (16 rand chars incl 0-9,a-z,A-Z,[]/*-') Assign a per user random salt (stored in the DB). Store the result hash_function($userPassword + $sitewideSalt + $randomSalt) Store the $randomSalt alongside the resulting hash. Use bcrypt adjustable workload hashing Attack #1: Attacker

How do I check when the password was last changed for some user? I would like to do it both on Windows and Linux, can you guide me a little how can I do that? In Linux: chage -l {username} In Windows: net user {username} | find /I "Password last set" In Windows (user part of a domain): net user {username} /DOMAIN | find /I "Password last set" * nix Check out the command chage or getprpw Windows net user UserName has the information in it Erik Gump net user UserName /DOMAIN | find /I "Password last set" This command is useful and was able to check my last password change date and time. 来源：

Years ago it used to be the case that Unix passwords were limited to 8 characters, or that if you made the password longer than 8 characters the extra wouldn't make any difference. Is that still the case on most modern Unix/Linux systems? If so, around when did longer passwords become possible on most systems? Is there an easy way to tell if a given system supports longer passwords and if so, what the effective maximum (if any) would be? I've done some web searching on this topic and couldn't really find anything definitive; much of what came up was from the early 2000s when I think the 8