I have a a large list of computers and I need to update the passwords every few months and send to other members of my team.. When I export the list and the other team members import it… the passwords from my new list do not update on their machines. How do I get ARD to “forget” a machine I’ve logged into?
I’m currently working on understanding and contemplating to implement password strength validation for sign ups in my app, to include checking haveibeenpwned if entered password is compromised elsewhere.
I understand the process involves the site sending a partial hash of the password to HIBP and HIBP will respond whether it’s pwned.
I am also assuming that it is possible that HIBP stores logs of my API request and that it may contain information leading back to my app.
If HIBP gets hacked, and attacker gains access to the above hypothetical logs, assuming that it contains all the information in the original request – the partial hash and where it came from (my site), can the attacker construct an attack on my site is this way?
- Hash the passwords in the list of pwned password and get a list of hashes
- Match the partial hash he has with those in the above list and
derive a refined dictionary of N number of possible passwords with
same partial hash
- Try the passwords on my site
I am aware at every point in the above, measures can be put in place to mitigate each, e.g. 2FA. But it is not my objective to ask for how to secure my sign up, but to validate my concerns with using HIBP and whether there’s an attack vector to be considered.
PS: I’m not a security expert but I do know how passwords and hashes work. As HIBP is new to me, I don’t fully know how it works and all the features of its API. Pardon me if I made wrong assumptions.
Linux unshadow file
wolf@linux:~$ cat md5hash.txt root:$1$FTpMLT88$VdzDQTTcksukSKMLRSVlc.:0:0:root:/root:/bin/bash john:$1$wk7kHI5I$2kNTw6ncQQCecJ.5b8xTL1:500:500::/home/john:/bin/bash harold:$1$7d.sVxgm$3MYWsHDv0F/LP.mjL9lp/1:501:501::/home/harold:/bin/bash wolf@linux:~$
wolf@linux:~$ cat md5hash_only.txt $1$FTpMLT88$VdzDQTTcksukSKMLRSVlc. $1$wk7kHI5I$2kNTw6ncQQCecJ.5b8xTL1 $1$7d.sVxgm$3MYWsHDv0F/LP.mjL9lp/1 wolf@linux:~$
Since I know that these are md5 format, I used
--format=md5 option in john.
Unfortunately, I’m getting
Unknown ciphertext format name requested error.
wolf@linux:~$ john --format=md5 md5hash.txt Unknown ciphertext format name requested wolf@linux:~$ wolf@linux:~$ john --format=md5 md5hash_only.txt Unknown ciphertext format name requested wolf@linux:~$
I’ve verified that the format is similar with pentestmonkey cheat-sheet
Any idea what’s wrong here?
With the new MacBooks getting TouchIDs, password authentication is becoming an old school way to do things. Since TouchIDs work in the same way as Security keys, both having public-private keypair, do we have a way to use security keys for the same purpose in older Macbooks as the touchIDs in new Macs.
Yes, it is unsecure. Here are some reasons.
It can be that you installed (intentionally or not) some malware or virus, that scans your files and sends data to some external server.
It can be that your create backups to some external drive and they are not encrypted. If you lost your back up drive, somebody can get access to it.
I am looking to determine the best security measures to prevent unauthorized access to my network by an attacker using thermal imaging through a window/wall. I know there is thermal imaging can that detect subtle enough fluctuations in heat to monitor your keyboard strokes through a wall.
But how sensitive is the detection really?
Is it sensitive enough to detect hand writing as you are writing sensitive information down on paper?
Is there enough heat fluctuations on a monitor between colors to be able to detect information on a monitor?
I have Android 5.1 (Motorola Moto G X1039). I encrypted the phone and set the screen password. then
After each password change, I can choose one of two options:
- & # 39; Password required at startup & # 39;
- & # 39; No thanks & # 39;
When I select the first one, the phone asks for the password before booting. If I choose the second option, the phone starts without a password, but needs a password to unlock the screen. I am aware that Android Dummy can temporarily mount
/data File system just to show nice user interface.
However, if the second option is selected, the phone can display notifications of new incoming emails or messenger messages after booting but before receiving my password. and we're talking about Android 5 (before file-based encryption)
How does my fully encrypted Android know without asking for my password:
- that I have installed Gmail or Messenger
- my email or messenger password
- that I have activated notifications for Gmail and Messanger
How does it work without my password if it should be fully encrypted? or if I choose not to use the password during startup, does full disk encryption only use the default password? If so, is it secure at all, does it still protect the data of a stolen phone (I know that a user password along with a hardware-based key / chip is required to decrypt the hard drive)?
again the scenario:
- Restart the encrypted phone with the screen lock password you set
- Wait for it to start (don't enter a password)
- Send an email or messenger message from another phone
- The encrypted phone displays a notification of incoming messages, but has never received the password to decrypt the hard drive
In the past few weeks, I've spent a lot of time thinking about structuring my security plan based on a password manager, only two to three strong passwords, and using physical U2F keys like YubiKey. Without going into too much detail, part of my plan would necessarily include the following:
I have a password manager that stores passwords for all of my online accounts (apart from the main email address used to register such accounts). For reasons related to other parts of my plan:
- If possible, these individual accounts are secured by the traditional 2FA justwhere a 30 second code is generated with a phone app.
- The manager himself is secured with a physical U2F key just.
The reasons for this were as follows. Consider these two unlikely scenarios:
- My main password for the manager and my phone with the 2FA app are stolen. Since the manager can only be accessed with the U2F key, I am safe.
- My main password and the U2F key are stolen. The attacker can log in to the manager. However, since the 2FA code is required for the accounts whose passwords are stored, I am sure that the attacker does not have my phone. (You can only access websites that do not have the 2FA option, but they are considered unimportant here.)
However, when I read the Dashlane and 1Password technical support pages, I understand that to add a key to my manager, I also need to activate the code-based 2FA first (this may not be the case, but the information has not been conveyed clearly ). Keeper appears to support U2F without enforcing such a 2FA. LastPass doesn't seem to support U2F at all, only OTP.
The reason I'm worried about this is:
- My main password and my phone with the 2FA app are stolen. If both 2FA codes and U2F are activated for the manager, the attacker can now access them (in contrast to case 1). Since the accounts contained therein use 2FA, they can also access these accounts (in contrast to case 2). Security at risk!
Therefore, it is crucial for me to use only one type of two-step authentication for my manager. Although Google allows many methods, all methods other than the U2F keys become invalid, although Google allows many methods. I want the same from my manager. Is that possible in Dashlane or 1Password?
P.S. I am aware of the risks of using only the U2F keys for my manager. Some managers, e.g. Dashlane, offer unique recovery codes that could be safely stored elsewhere. You could also write down the (usually 32-digit) code associated with the QR image to activate the usual 2FA without actually activating it at this point.
I'm looking for some UX examples of how other companies have dealt with this situation:
Developers use an old password encryption method (sha1), which I think needs to be changed to more secure encryption.
What they have done:
When users logged on, they only encrypted their password with the new encryption and the users didn't know anything.
The only problem is that we have a number of users who are not frequent users and who only log in regularly.
Developers want to delete all passwords and require users to reset their passwords.
We don't want to alert them to the fact that there are security issues as we have a lot of important data in their user accounts.
In this case, users would try to sign in and only get a message that their credentials are incorrect.
The initial approach was: Finally, users simply click on a forgotten password after being told "invalid credentials".
However, this just feels wrong and we tried to think of different processes, but due to development constraints we have to stick to the "Forgot Password" link. (Not the best solution, but making the best of it)
My question is:
What message would be useful if you asked them to reset their password that does not indicate security issues?
Are there any existing companies that have randomly asked users to reset their passwords?
If you send the form under / user / login, both fields in the POST text will be sent in plain text. If you're using a browser debugger (like Chrome Inspector), you can view and view network traffic.
Then the transmitted password is hashed on the server side with the current algorithm (it is currently a stretched SHA-512, see
PhpassHashedPassword() for more details) and compared with the version in the database.