passwords – Is this (explained in body) a possible attack vector when using haveibeenpwned API?

I’m currently working on understanding and contemplating to implement password strength validation for sign ups in my app, to include checking haveibeenpwned if entered password is compromised elsewhere.

I understand the process involves the site sending a partial hash of the password to HIBP and HIBP will respond whether it’s pwned.

I am also assuming that it is possible that HIBP stores logs of my API request and that it may contain information leading back to my app.

If HIBP gets hacked, and attacker gains access to the above hypothetical logs, assuming that it contains all the information in the original request – the partial hash and where it came from (my site), can the attacker construct an attack on my site is this way?

  1. Hash the passwords in the list of pwned password and get a list of hashes
  2. Match the partial hash he has with those in the above list and
    derive a refined dictionary of N number of possible passwords with
    same partial hash
  3. Try the passwords on my site

I am aware at every point in the above, measures can be put in place to mitigate each, e.g. 2FA. But it is not my objective to ask for how to secure my sign up, but to validate my concerns with using HIBP and whether there’s an attack vector to be considered.

PS: I’m not a security expert but I do know how passwords and hashes work. As HIBP is new to me, I don’t fully know how it works and all the features of its API. Pardon me if I made wrong assumptions.

passwords – “john –format=md5” caused “Unknown ciphertext format name requested” error

Linux unshadow file

wolf@linux:~$ cat md5hash.txt 

md5hash only

wolf@linux:~$ cat md5hash_only.txt 

Since I know that these are md5 format, I used --format=md5 option in john.

Unfortunately, I’m getting Unknown ciphertext format name requested error.

wolf@linux:~$ john --format=md5 md5hash.txt 
Unknown ciphertext format name requested

wolf@linux:~$ john --format=md5 md5hash_only.txt 
Unknown ciphertext format name requested

I’ve verified that the format is similar with pentestmonkey cheat-sheet

Any idea what’s wrong here?

macbook pro – Using security keys similar to the use of TouchID for removing need of passwords

With the new MacBooks getting TouchIDs, password authentication is becoming an old school way to do things. Since TouchIDs work in the same way as Security keys, both having public-private keypair, do we have a way to use security keys for the same purpose in older Macbooks as the touchIDs in new Macs.

encryption – Is it really that unsafe to store passwords in a text file on my computer?

Yes, it is unsecure. Here are some reasons.

It can be that you installed (intentionally or not) some malware or virus, that scans your files and sends data to some external server.

It can be that your create backups to some external drive and they are not encrypted. If you lost your back up drive, somebody can get access to it.

passwords – Security measures to prevent thermal imaging intrusion

I am looking to determine the best security measures to prevent unauthorized access to my network by an attacker using thermal imaging through a window/wall. I know there is thermal imaging can that detect subtle enough fluctuations in heat to monitor your keyboard strokes through a wall.

But how sensitive is the detection really?

Is it sensitive enough to detect hand writing as you are writing sensitive information down on paper?

Is there enough heat fluctuations on a monitor between colors to be able to detect information on a monitor?

Passwords – How Android boots and shows notifications with full encryption but no authentication before launch

I have Android 5.1 (Motorola Moto G X1039). I encrypted the phone and set the screen password. then

After each password change, I can choose one of two options:

  • & # 39; Password required at startup & # 39;
  • & # 39; No thanks & # 39;

When I select the first one, the phone asks for the password before booting. If I choose the second option, the phone starts without a password, but needs a password to unlock the screen. I am aware that Android Dummy can temporarily mount /data File system just to show nice user interface.

However, if the second option is selected, the phone can display notifications of new incoming emails or messenger messages after booting but before receiving my password. and we're talking about Android 5 (before file-based encryption)

How does my fully encrypted Android know without asking for my password:

  • that I have installed Gmail or Messenger
  • my email or messenger password
  • that I have activated notifications for Gmail and Messanger

How does it work without my password if it should be fully encrypted? or if I choose not to use the password during startup, does full disk encryption only use the default password? If so, is it secure at all, does it still protect the data of a stolen phone (I know that a user password along with a hardware-based key / chip is required to decrypt the hard drive)?

again the scenario:

  • Restart the encrypted phone with the screen lock password you set
  • Wait for it to start (don't enter a password)
  • Send an email or messenger message from another phone
  • The encrypted phone displays a notification of incoming messages, but has never received the password to decrypt the hard drive

Passwords – Is the use of conventional 2FA codes a requirement for using the U2F-FIDO key in Dashlane / 1Password?

In the past few weeks, I've spent a lot of time thinking about structuring my security plan based on a password manager, only two to three strong passwords, and using physical U2F keys like YubiKey. Without going into too much detail, part of my plan would necessarily include the following:

I have a password manager that stores passwords for all of my online accounts (apart from the main email address used to register such accounts). For reasons related to other parts of my plan:

  • If possible, these individual accounts are secured by the traditional 2FA justwhere a 30 second code is generated with a phone app.
  • The manager himself is secured with a physical U2F key just.

The reasons for this were as follows. Consider these two unlikely scenarios:

  1. My main password for the manager and my phone with the 2FA app are stolen. Since the manager can only be accessed with the U2F key, I am safe.
  2. My main password and the U2F key are stolen. The attacker can log in to the manager. However, since the 2FA code is required for the accounts whose passwords are stored, I am sure that the attacker does not have my phone. (You can only access websites that do not have the 2FA option, but they are considered unimportant here.)

However, when I read the Dashlane and 1Password technical support pages, I understand that to add a key to my manager, I also need to activate the code-based 2FA first (this may not be the case, but the information has not been conveyed clearly ). Keeper appears to support U2F without enforcing such a 2FA. LastPass doesn't seem to support U2F at all, only OTP.

The reason I'm worried about this is:

  1. My main password and my phone with the 2FA app are stolen. If both 2FA codes and U2F are activated for the manager, the attacker can now access them (in contrast to case 1). Since the accounts contained therein use 2FA, they can also access these accounts (in contrast to case 2). Security at risk!

Therefore, it is crucial for me to use only one type of two-step authentication for my manager. Although Google allows many methods, all methods other than the U2F keys become invalid, although Google allows many methods. I want the same from my manager. Is that possible in Dashlane or 1Password?

P.S. I am aware of the risks of using only the U2F keys for my manager. Some managers, e.g. Dashlane, offer unique recovery codes that could be safely stored elsewhere. You could also write down the (usually 32-digit) code associated with the QR image to activate the usual 2FA without actually activating it at this point.

8 – Are user passwords encrypted when sending the registration form?

If you send the form under / user / login, both fields in the POST text will be sent in plain text. If you're using a browser debugger (like Chrome Inspector), you can view and view network traffic.

Then the transmitted password is hashed on the server side with the current algorithm (it is currently a stretched SHA-512, see PhpassHashedPassword() for more details) and compared with the version in the database.