passwords

I have this class to represent my users: public class User { public int ID {get; set;} public string UserName {get; set;} [DataType(DataType.Password)] public string Password {get; set;} } A simplistic version of my register method looks like this: [HttpPost] Register(User newUser) { ... _context.add(newUser); await _context.SaveChangesAsync(); ... } So my question is: Should I alter the password type from a regular string before storing? If so, to what data type? YES YES YES Never store passwords as plain text While much of this is a security discussion rather than a programming one, you

When I manually sftp using username and password it works fine, when using curl it fails. The same script will successfully connect to other servers with no problem. Because I can manually log in and other clients don't have a problem the server admins aren't much help. Here is the curl failed attempt: curl -v --insecure --user username:password sftp://someurl.com * Trying 199.187.***.***... * Connected to someurl.com (199.187.***.***) port 22 (#0) * SSH MD5 fingerprint: 6831eae63f230952a1775e0f67f80e7b * SSH authentication methods available: publickey,gssapi-keyex,gssapi with-mic,password *

I have a similar issue to this: How can I skip Fabric connections that ask for a password? which has no answer. I'm looking for a way to get Fabric to consider bad any host asking for a password instead of an SSH key login, since this means the user I'm connecting as doesn't have an account on the server (and I'm iterating through a large list of hosts). I've tried setting env.password = None and env.password = 'none' as well as with setting(warn_only=True): but Fabric keeps asking for the password. Any way around this? I believe env.abort_on_prompts will achieve what you need, i.e. fail if

I have a VBS script I use at work for automating tasks when connected to Cisco routers and switches, including automating the login process. Not unreasonably people are a little edgy about storing their password in a plain text VBS file, so I provide them with the option to prompt every time for the password or have it stored in the script. Is there a method by which I could call out to a Windows API which might be able to handle encryption for me? I would need a way to both a) encrypt the original password so it could be safely stored in the script, and b) provide a way of calling the decrypt

I'm just digging into Symfony2 and just got my own user-provider running. ATM I use brypt with a cost of 12. If I now increase the cost, bcrypt should rehash the password again!?! But how can I persist the new password to database? You can change the cost in any moment because as you can read in the official symfony2 docs you don't need to rehash the old passwords because they are automatically handled with the old cost (and if you want you can force the users in the future to change their password like happens in many large sites). DevWL You can't reverse a hash function so you're left with

I've read some articles and questions on SO (e.g. here ) that say you shouldn't store a user's password in a cookie. If the password is salted and hashed, why is this insecure? In particular, why is it less secure than using sessions, the alternative usually suggested? If the user wants to stay logged in then surely this new cookie (with a session ID/hash) is exactly as secure as the one with the user's password? If the cookie is "stolen" on some way the attacker can log in as the user in the same way. EDIT : The main crux of the question is the part about the user staying logged in, i.e. via