hashing – Why do sites store user data all in one user table? Why not separate with salted and hashed unique keys?

Say I’m a Big Company with a bunch of user data, including usernames, email addresses, and salted and hashed passwords. I recognize that I’m susceptible to attack in some way shape or form, despite everything that I’ve done to try to prevent an attacker from gaining access (phishing is stupidly effective, after all).

Suppose I want to separate a hacker from getting to more data. Would it not make more sense for me to set up one table with user data consisting of a unique identifier, their salted and hashed password, and any other relevant data, then create another table of email addresses that has two columns; the email address, and a unique key. However, that unique key is based on a salted and hashed version of the unique key from the original users table that can be replicated (assuming you know the salt and the algorithm used.)

Now, assuming someone enters maliciously, they will have to determine two sets of salts and hashes– one to decrypt the password, and one to decrypt which email address is associated with that username and password. Gaining the email addresses is still valuable for stuff like spam mail, but it’s now double the effort if someone wants to figure out how to log in as a user. This obviously is n

oauth2 – API keys or Client Credentials flow? Good practice to control application access to a deployed web component

Company A developed a widget (Web Component) deployed on several clients/partners.

Only clients/partners must be authorized to use the widget.
No need to distinguish between each end users (clients’ users), because only the application itself, the widget itself must be authenticated/authorized.

I thought about using a relevant API KEY per client stored on a reverse proxy (mini-backend), the latter stored on the client’s infrastructure.
This way, the widget could target the reverse proxy, this one providing the hidden API KEY in order to deal with Company A’s backend.

Pros of this solution:
No front developments required on client’s infrastructure.
If the API is stolen (in extreme cases), as there is no expiration by default, anyone could benefit of its power at any time except if additional check on domain + IP/DNS are carried out.

Other way, what about the Client Credentials flow of OAuth, that would consist in ensuring a communication between Company A’s backend AND client’s backend to generate a token allowing client/partner to ask for a business token that can expire in a short run.
Thus, the widget would be passed the business token in order to deal with Company A’s backend features at any time, before expiration.

Pros of this solution:
The token can expire and has therefore less potential of damages than a potential stolen API KEY that does not expire.
Backend developments required on clients side in order to deal with the client credentials flow (service to service).
Front developments required on client’s infrastructure to provide the business token to the widget.

What would you suggest?

mysql – SQL: How to get all tables’ columns & keys + the primary key?

I’m trying to get all tables in a database, with their column definitions and keys.

Given the following tables

create database test;
use test;

CREATE TABLE authors (
  `name` varchar(255) NOT NULL UNIQUE,
  author_id int NOT NULL,
  title varchar(255) NOT NULL UNIQUE,
  summary varchar(255),
CREATE TABLE authors_books (
  author_id int NOT NULL,
  book_id int NOT NULL,
  PRIMARY KEY(author_id, book_id)

The end result should look something like:




Now, the following query gets me everything except the keys. It’s a mess in mysql output, but running it with the command helps it look digestible.

mysql -u root -p -NBre "SELECT CONCAT_WS('n', table_name, GROUP_CONCAT(
    CONCAT_WS(',', column_name, column_type)
    ORDER BY ordinal_position
FROM information_schema.columns
WHERE table_schema = 'test'
GROUP BY table_name"

I’ve tried many combinations to get the keys, but could only get as close as the following.

SELECT a.table_name, a.column_name, GROUP_CONCAT(CONCAT_WS(',', a.column_type, b.constraint_name, b.ordinal_position ) SEPARATOR '|')
FROM columns a
LEFT JOIN key_column_usage b
  ON (a.table_name = b.table_name AND a.column_name = b.column_name)
WHERE b.table_schema = 'test'
GROUP BY a.table_name, a.column_name
ORDER BY a.table_name;

Which gives:

| TABLE_NAME    | COLUMN_NAME | GROUP_CONCAT(CONCAT_WS(',', a.column_type, b.constraint_name, b.ordinal_position) SEPARATOR '|') |
| authors       | id          | int,PRIMARY,1                            |
| authors       | name        | varchar(255),name,1                      |
| authors_books | author_id   | int,PRIMARY,1|int,authors_books_ibfk_1,1 |
| authors_books | book_id     | int,PRIMARY,2|int,authors_books_ibfk_2,1 |
| books         | author_id   | int,books_ibfk_1,1                       |
| books         | id          | int,PRIMARY,1                            |
| books         | title       | varchar(255),title,1                     |

Notice, books.summary is missing, so I’m thinking all fields without a constraint will be missing from the results.

Another thing is when a primary key is a composite key, such as in the bridge table authors_books, they should not be part of the GROUP_CONCAT in the 3rd column but instead be its own record at the end of the table_name group.

I might be on the wrong track but.. How can I also get the columns that don’t have key constraints, plus the table’s primary key as its own row?

x.509 – openssl SubjectDN parameter, abbreviaton of argument keys and how to add extra ones

openssl command allows to create x509 certificates, and to add subjectDN using the -subj parameter.
The parameter accepts a string of slash-delimited values in the form of:




I could not find a complete list of the allowed keys, and I need to create a certificate with the following attributes:

  • organizationName (O)
  • commonName (CN)
  • uri (?!)
  • organizationIdentifier (?!)
  • countryName (C)
  • localityName (L)

of which uri and organizationIdentifier I have no clue on how to include.
to my knowledge (fairly limited, i am just starting in the digital signature world), the values this parameter can incorporate are:

  • Country Name (C)
  • State or province (ST)
  • Locality (L)
  • Organization Name (O)
  • Organizational Unit Name (…)
  • Common Name (CN)
  • Email Address (…)

Is there a place where I can find the complete list of possibile attributes and their abbreviation?
or maybe something other than openssl that allows to build the certificate ?
Is it possible that to add the extra fields (uri, OrganizationIdentifier) the addtext argument must be used?
Thank you in advance for your time and understending.
Best regards

wallet – Mycelium – understanding of keys

Under the Accounts tab in Mycelium, it says that Account 1 “Contains 3 private keys.” My understanding is that a public/private key pair is generated for each address type/format (p2sh, p2pkh and bech32) and we are free to choose which to use when receiving bitcoins.

  1. Is any of those three private keys known as the Extended Private Key from which all remainder and future private keys get derived? Or, are all private keys within ‘Account 1’ derived from the 12-word master seed and none of them are Extended Private Keys? Or, are the 3 of them Extended Private Keys (one for each address type)?

  2. Now when I’m receiving bitcoins I can choose which of the three addresses I want to use, right? Are the bitcoins now associated with the public/private key pair or the account? Say the three public/private key pairs are xpub/xprv, ypub/yprv and zpub/zprv … now if I received A bitcoins on xpub and B bitcoins on ypub, does that mean when I want to send A+B bitcoins I have to make two seperate transactions and therefore pay transaction fees twice?

  3. After receiving some bitcoins on, say ypub, does that mean another public/private key pair gets generated because it’s an HD wallet? If yes, next time you’re receiving bitcoins, can you choose which of the 4 addresses you want the coins to be associated with?

  4. If I create a new account (say ‘Account 2’) will it have it’s own master seed? Or is the 12-word master seed for all accounts within the wallet? If the master seed is for all accounts, where do the Extended Private Key and Extended Public Key reside?

public key infrastructure – How roaming works with ssh private keys?

This occurred to me when looking at the security model wireguard is using. Instead of relying on users credentials and Radius authenticating central server each user has a private key used to authenticate VPN. This is modeled after SSH PKI.

But how does it work when users switch computers. In big organisation it is common for employees to move around a lot and login to different machines. Is the idea for them to only have access VPN, SSH from their own desks? Or are the keys stored on some local network file share?

8 – Override specific configuration keys in settings.local.php

I’m trying to learn the Drupal 8 configuration override system based on the documentation here:


As a simple test, I have disabled the Shield module and exported config. Here’s a diff:

diff --git a/config/sync/shield.settings.yml b/config/sync/shield.settings.yml
index 3f7482f18..d9f019ca4 100644
--- a/config/sync/shield.settings.yml
+++ b/config/sync/shield.settings.yml
@@ -1,4 +1,4 @@
-shield_enable: true
+shield_enable: false
 credential_provider: shield

Now, in my settings.local.php I have attempted to override this config key:

 * Disable Shield (HTTP Basic Authentication).
$config('shield')('shield_enable') = FALSE;

This approach does not seem to work.

Do I need to do anything else to override the configuration?

NOTE: This is a contrived example. I could use configuration splits to disable HTTP basic auth in the production environment, even if it’s enabled in the active database configuration. In fact, I am hoping this approach will allow me to use environment variables to provide environment-specific values for authentication tokens, API keys and other secrets that may change in sandbox and production environments, but details are irrelevant to the question.

Where does it go and who verifies private keys?

The private key is used when signing a transaction. The private key usually goes into a bitcoin wallet, and the wallet software handles the signing and storage of your keys. Do not give your keys to anyone. Anyone with your private keys can spend just the same as you so it is important to keep these safe and preferably offline.

Yes your wallet software will verify the signature (not the key) before broadcasting as well as any listening nodes.

bitcore – Can Parent keys access child keys bitcoin?

I’m using bitcore to generate a parent key and multiple child keys.

I’ve sent 0.00001 BCH to the parent key and 2 child keys. The 0.00001 BCH is currently on each of them. Can the parent key access the child keys BCH or does it need to send the BCH from each child to the parent?

Here are the exact docs I’m reading