passwords

问题 I'm writing a command line tool to help my web app. It needs a password to connect to the service. I'd like the script to show a password prompt so I don't have to pass it as a command line argument. That's easy enough, but I'd like it to not echo the password to the screen as it's typed. How can I do this with PHP? Bonus points for doing it in pure PHP (no system('stty') ) and replacing the characters with * . EDIT: The script will run on a unix like system (linux or mac). The script is

问题 I have to do jQuery form validation for password. The password should contain at least two special characters in any order. I have tried with Regular Expression for password validation but it does not address that two random special characters can come at any order. How do I do it using a JavaScript regular expression? 回答1: You do not have to use look-arounds in cases when you do not have to. If you only need to make sure the string has at least 2 characters of a specific set, use this kind

问题 My app must read an SSL url from a third party. How do I best store the third party credentials in my own database, which protects the third party credentials from being compromised? Consider both absolute security and practicality. One-way hashing the credentials is not useful as I must restore credentials to plaintext for the SSL call. I'm using python on google app engine, and my app authenticates with google credentials. encrypt credentials using e.g. AES and save the encryption key

问题 I'm not a Java developer, but my client has hired one to update some JAR files on their site. Prior to doing so, we audited the existing code and found a number of security vulnerabilities. One of the solutions we employed to make the files more secure is to create a new database user with read-only access to the database, and only for those tables that the JAR files required to operate. I then found out that they are storing these credentials in plain text files alongside the JAR files, only

问题 I'm not really up to date with the most recent developments regarding hashing algorithms strengths; what is currently my best bet for storing passwords? Also, how much more security do salting and key stretching offer me? 回答1: MD5 has been broken. SHA-1 has significant weaknesses. SHA-2 is considered adequate at the moment. SHA-3 will shortly become a FIPS standard. Best practice is to combine password hashing with random salting and key stretching, e.g. PBKDF2. A good discussion on password

问题 My coworker and I are having a fist-fight civilized discussion over password security. Please help us resolve our differences. One of us takes the viewpoint that: Storing passwords encrypted using a public key in addition to a one-way hashed version is OK and might be useful for integration with other authentication systems in the future in case of a merger or acquisition. Only the CEO/CTO would have access to the private key, and it would only be used when necessary. Regular login validation

问题 I just set up Devise (rails authentication plugin) to send a confirmation email upon sign up. This involved my putting the following into my environment.rb file: ActionMailer::Base.delivery_method = :smtp ActionMailer::Base.smtp_settings = { :tls => true, :address => "smtp.gmail.com", :port => 587, :domain => "gmail.com", :authentication => :login, :user_name => "[my email]", :password => "[my pass]" } I obviously don't want to push this up to github with [my pass] just sitting there. Is

问题 I'm trying to download a file from sftp site using batch script. I'm getting the following error: Permission denied (publickey,password,keyboard-interactive). Couldn't read packet: Connection reset by peer When running the command: sftp -b /home/batchfile.sftp <user>@<server ip>:<folder> the batchfile.sftp includes these data: password lcd [local folder] cd [sftp server folder] get * bye Note: It's working when running at the prompt as sftp <user>@<server ip>:<folder> But I need the ability

问题 I'm finding surprisingly little information on converting an existing database from Encrypted passwords to Hashed passwords. (I was able to find a bit more information on converting the other way, but it wasn't of much help.) As most people know, changing the passwordFormat setting in web.config only affects new users. I have a database with a couple of hundred users and I'd like to convert them to use hashed passwords without changing those existing passwords. Is anyone else familiar with

问题 An article that I stumbled upon here in SO provided links to other articles which in turn provided links to even more articles etc. And in the end I was left completely stumped - so what is the best way to store passwords in the DB? From what I can put together you should: Use a long (at least 128 fully random bits) salt, which is stored in plaintext next to the password; Use several iterations of SHA-256 (or even greater SHA level) on the salted password. But... the more I read about