passwords

问题 I have this custom type: public struct PasswordString { private string value; public PasswordString(string value) { this.value = MD5.CalculateMD5Hash(value); } public string Value { get { return this.value; } set { this.value = MD5.CalculateMD5Hash(value); } } public static implicit operator PasswordString(string value) { return new PasswordString(value); } public static implicit operator string(PasswordString value) { return value.Value; } public static bool operator ==(string x,

问题 I want to have a way of authenticating an user (which introduces his password) without having that password stored in plain text or even a hash of it. How should I do it? Is it secure to have a control string that the user key can cipher and compare it with the ciphered string that I have stored? 回答1: Per NIST (National Institute of Standards and Technology): Use a hash function, iterate over an HMAC with a random salt for about a 100ms duration and save the salt with the hash. Use functions

问题 Excuse me for this very odd question. I understand the purpose of base64 encoding for transmitting data (i.e. MIME's Base64 encoding), but I don't know if I need to base64 encode my salts. I wrote an utility class (a base abstract class indeed): use Symfony\Component\Security\Core\Encoder\BasePasswordEncoder; abstract class AbstractCryptPasswordEncoder extends BasePasswordEncoder { /** * @return string */ protected abstract function getSaltPrefix(); /** * @return string */ protected abstract

问题 I have DBA authority to a sybase database on Windows. I have a another user that I don't know the password for. I regularly use an application that does know the password, and it uses the password to automatically login to the application. However, I can't find a way to find that password anywhere in the application or its dlls/files/registry/etc. I obviously don't want to just change the password of the user, as the password in the application can't be updated (that i know of). I want to be

问题 I know there are probably a lot of questions like this already. But, I really haven't found the definite answer for my question. I know that passwords are stored in the database with a prepended random salt followed by the hashed password. The value of the password is actually never known (by the server and thus the server admins). What is the standard hashing algorithm ? I know cryptography is a dynamic field and changes with time. So I'm asking what's the current industry standard for

问题 For authentification with Dovecot, I use SSHA256 hashes but I have no clue how to validate a given password against the existing hash. The following PHP functions (found them in the web) are used to create the SSHA256 hash: function ssha256($pw) { $salt = make_salt(); return "{SSHA256}" . base64_encode( hash('sha256', $pw . $salt, true ) . $salt ); } function make_salt() { $len = 4; $bytes = array(); for ($i = 0; $i < $len; $i++ ) { $bytes[] = rand(1,255); } $salt_str = ''; foreach ($bytes as

问题 For authentification with Dovecot, I use SSHA256 hashes but I have no clue how to validate a given password against the existing hash. The following PHP functions (found them in the web) are used to create the SSHA256 hash: function ssha256($pw) { $salt = make_salt(); return "{SSHA256}" . base64_encode( hash('sha256', $pw . $salt, true ) . $salt ); } function make_salt() { $len = 4; $bytes = array(); for ($i = 0; $i < $len; $i++ ) { $bytes[] = rand(1,255); } $salt_str = ''; foreach ($bytes as

问题 I'm having a little trouble with how to conceptually handle password resets if a user forgets their password. I have been trying to model my system after this SO answer. Here is my current setup: The user clicks forgot password link on page The page prompts them to enter their email address The user enters email address and hits "Send me my info" When the user hits "Send my my info" a new entry is created in my password_change_requests table with a random id, a time, and the user's username.

问题 I was trying to use the Paypal PHP SDK and I noticed a warning that says I should encrypt my API username and password for use in production environments. I do agree on this statement, but I'm wondering how I should go about doing that. I currently have no clue. Here's what the warning says, just for the record: Do not embed plaintext credentials in your application code. Doing so is insecure and against best practices. Your API credentials must be handled securely. Please consider encrypting

问题 I was trying to use the Paypal PHP SDK and I noticed a warning that says I should encrypt my API username and password for use in production environments. I do agree on this statement, but I'm wondering how I should go about doing that. I currently have no clue. Here's what the warning says, just for the record: Do not embed plaintext credentials in your application code. Doing so is insecure and against best practices. Your API credentials must be handled securely. Please consider encrypting