passwords

I've been reading about the Gawker incident and several articles have cropped up regarding only using bcrypt to hash passwords and I want to make sure my hashing mechanism is secure enough to avoid switching to another method. In my current application I have opted for a PBKDF2 implementation utilising sha2-512 and a minimum of 1000 iterations. Can I ask for opinions on using PBKDF2 vs Bcrypt and whether or not I should implement a change? You're good with PBKDF2, no need to jump to bcrypt. Although, the recommendation to use 1000 iterations was made in year 2000, now you'd want much more.

I am wondering if there is a way to reset password with UserManager of ASP.NET MVC 5 I tried this with user that already has a password but no success. Any clue? IdentityResult result = UserManager.AddPassword(forgotPasswordEvent.UserId.ToString(), model.ConfirmPassword); if (result.Succeeded) { // } else { AddErrors(result); } Developer It is here ASP.NET Identity reset password UserManager<IdentityUser> userManager = new UserManager<IdentityUser>(new UserStore<IdentityUser>()); userManager.RemovePassword(userId); userManager.AddPassword(userId, newPassword); I suppose this is newer but there

Is there a tutorial out there or does anyone have pointers on how to do the following with Spring-Security? Task: I need to get the salt from my database for the authenticating username and use it to encrypt the provided password (from the login page) to compare it to the stored encrypted password (a.k.a. authenticate the user). additional information: I use a custom database structure. A UserDetails object is created via a custom UserDetailsService which in turn uses a custom DAOProvider to get the information from the database. my security.xml file so far: <authentication-manager>

I am currently using the following for hashing passwords: var pass_shasum = crypto.createHash('sha256').update(req.body.password).digest('hex'); Could you please suggest improvements to make the project safer? balazs I use the follwing code to salt and hash passwords. var bcrypt = require('bcrypt'); exports.cryptPassword = function(password, callback) { bcrypt.genSalt(10, function(err, salt) { if (err) return callback(err); bcrypt.hash(password, salt, function(err, hash) { return callback(err, hash); }); }); }; exports.comparePassword = function(plainPass, hashword, callback) { bcrypt.compare

I'm interested in creating a very simple, high (cryptographic) quality random password generator. Is there a better way to do this? import os, random, string length = 13 chars = string.ascii_letters + string.digits + '!@#$%^&*()' random.seed = (os.urandom(1024)) print ''.join(random.choice(chars) for i in range(length)) The difficult thing with passwords is to make them strong enough and still be able to remember them. If the password is not meant to be remembered by a human being, then it is not really a password. You use Python's os.urandom() : that's good. For any practical purpose (even

http://www.php.net/manual/en/faq.passwords.php#faq.passwords.fasthash I'm storing user passwords in a MySQL database in hash form. Does this mean that it is unsafe to do so? If it is, what are my alternatives? The next question in the FAQ you linked to discusses it: How should I hash my passwords, if the common hash functions are not suitable? From the FAQ: The suggested algorithm to use when hashing passwords is Blowfish, as it is significantly more computationally expensive than MD5 or SHA1, while still being scalable. The question following that is about salt. Has been answered many times

I am programming a PHP site that allows users to register,I'm using codeigniter php and I want to know the best function to encrypt passwords and what difference between this function? Passwords should almost never be encrypted. Instead, they should be one-way hashed. Generally, bcrypt is recommended , as it's resistant to brute forcing, where common alternatives like md5 or sha1 fail. Use PHPass: http://www.openwall.com/phpass/ The preferred (most secure) hashing method supported by phpass is the OpenBSD-style Blowfish-based bcrypt, also supported with our public domain crypt_blowfish package

i looking some help and nice attention here.. i bought some php script many years ago and now no suport anymore... i just want to add md5 to password field.. here my form: <?php $SQL = "SELECT * from USERS WHERE USERNAME = '$_SESSION[username]'"; $result = @mysql_query( $SQL ); $row = @mysql_fetch_array( $result ); include 'menu.php'; ?> <FORM METHOD="post" ACTION="?page=query_client"> <INPUT TYPE="hidden" NAME="controller" VALUE="USERS~update~account_details&up=1~<?php echo $row[ID]; ?>"> <TABLE CLASS="basictable"> <TR> <TD CLASS="tdmenu" WIDTH="40%">Username</TD> <TD CLASS="tdmenu" WIDTH="60

This question already has an answer here: Regular Expression for password validation 5 answers I have to do jQuery form validation for password. The password should contain at least two special characters in any order. I have tried with Regular Expression for password validation but it does not address that two random special characters can come at any order. How do I do it using a JavaScript regular expression? You do not have to use look-arounds in cases when you do not have to. If you only need to make sure the string has at least 2 characters of a specific set, use this kind of a regex