google chrome – How should I prevent Ditto from copying passwords from the Bitwarden Firefox extension?

I knew Ditto would work well until the passwords I copied appeared. I use BitWarden (Premium) and find the hash values ​​in the list of the same clipboards.

I am using Windows 10.

And I mostly use the BW Firefox extension to copy passwords.

I know there is one exclude Option in Ditto>Optionsand would you like to know if there is a way to refer to the BW FireFox extension?

Passwords – what happens if your Skype is hacked?

Suppose your account is hacked even though you have followed all of the security information.

What happens then?

Can you "jump" from Skype to the entire device?

To steal my contacts, photos, videos, etc.?

Or is the hack attack local?

2. Question: Can you be hacked into "silence", ie they are in your Skype / device without you knowing about it?

If the answer is yes, what can I do to know?

I am sorry if the questions are too stupid, my knowledge on these topics is not good.

Thank you in advance for your help.

Saved WiFi passwords on Android 10

I'm trying to figure out the logic behind the WifiConfigStore.xml file on Android 10.

I am rooted. I have an XML file generated by Titanium Backup that I can import and restore hundreds of saved networks.
Marked with "Saved by Titanium Backup".

If I remove TiB, all saved networks are gone.

Password viewers work, but I'm looking for a way to mimic TiB's behavior: export a list and then import it without any particular app dependency (so passwords don't go away when I remove the app).

I tried to save the WifiConfigStore.xml file after saving a network, manually add a saved network, move it back and set the permissions + owner. After a restart – no saved passwords on my device.

Help would be appreciated

Passwords – Fully secured screen lock in Ubuntu with encryption

I understand that what you are looking for is a combination of several different things that are probably too broad for a single question.

This should give you an idea of ​​how you can encrypt under Suspend on Linux.

Is there a secure screen lock (no error, no security hole against X11 crashes, etc.)?

Nothing is absolutely safe and immune to errors or weak spots. I would look around and consider different options. Note that there may be incompatibility issues between a custom lock screen application and your desktop environment (if applicable).

Can I use home encryption in addition to full hard drive encryption and set the screen lock so that the same password unlocks and decrypts the home drive (I don't want to enter two passwords)?

This depends on the implementation of your special lock screen and the encryption configuration.

Protection from cold start attacks and access to physical ports or tampering are other issues that you can access with a lot of material. You gain more traction by doing some research, choosing specific areas to clear, and asking them as separate questions.

Passwords – Do additional rules for the generation scheme of my diceware list reduce security?

I have read Simon Singh's code book and am interested in playing with some of the ideas in the book to improve my own understanding. I do not intend to implement the following in subsequent settings. I am only interested in examining the security implications.

I want to create alternative diceware lists that have quirks, e.g. B. that each word is entered only with the left hand, or keystrokes alternately with the hand. Suppose I can generate 7776 different strings and follow all other guidelines for diceware. Are all diceware lists equally secure?

In the German Enigma machine, no letter could be encrypted for itself (e.g. a cannot be encoded a). This detail helped crack the code. However, I do not think that this is the case here. The strength of the password does not depend on encryption. I don't understand why 6 or 7 strings randomly selected from a list of 7776 wouldn't have the same entropy regardless of the list. Theoretically, it could only consist of 7776 different binary lines, right?

I understand that additional password generation rules sometimes reduce security. If an attacker knows my diceware list, does it matter whether each entry consists of only 15 unique left-hand characters? Is there less entropy?

java – Secure hashing of passwords

Before we even get to the parameters, there are a few security holes.

private char() password;

By storing the plaintext password in an instance field, it can be recognized from memory images over a longer period of time. The field does not have to be an instance field since it is only used in the hash Method.

public void hash(String rawPassword) {

The transfer of a plain text password as a string parameter makes safe disposal impossible. Passing passwords must be character arrays and must be deleted immediately when they are no longer needed.

public void destroy() {

You have the right idea that the class of confidential data has to be deleted, but here you have deleted the responsibility of the caller, while the data to be deleted is completely irrelevant to the caller. You should avoid having to rely on other people to handle sensitive data. Someone will forget to call destroy() because it's not something that needs to be done in a garbage collection environment. At least you could do it Closeable Therefore, there are some general contractual indications that the class needs to be cleaned up. However, it is better to write the classes so that no external cleanup is required.

private int ammountOfBytes = 64;
private int keyLength = 512;
private int iterations = 100000;

These should be static and final constants since you have no way to change them.

private String saltHex;
private String hashHex;

These are the only fields whose status needs to be maintained. Instead of packing all fields into the same PasswordHasher class, you should pack these two fields into a dedicated data class, use all the other code as static utilities, and let the hash method return the data class.

Encryption – Use a self-made hash for passwords for an insignificant website

First of all, I have no plans or intent to ever use a self-brew hash functionality. I am aware of why you shouldn't do this, and I have read enough topics about it to know that it is stupid to do so.

I understand that I am not an expert in this area and that those who do can find and abuse a vulnerability in my self-made algorithm and use these conclusions to crack my saved hash passwords more easily than more robust standard encryption.

What I can't imagine is the following: if you take a function in which you enter A, B is always output, where B is always the same. I am aware that this is not the best, but please take it how it is as & # 39; right & # 39; Comparison algorithm.

If a hacker has a database, he does his thing and has managed to recover a lot of passwords from it. If a bot is running on them or they are downloading / hacking / buying generic hacked passwords, the hacker can repeat the standard tricks to reverse them.

If I own a company that is not so insignificant that it is not specifically attacked by hackers and I use my own "extra sauce"1, all "driveby" variants of using tricks no longer work and would therefore be safer.

Is there / what is the flaw in my logic? For a long time this would be a worthless approach, because what if you get bigger? Just do it right from the start. But what if you know you will never be?

1e.g. I divided the string into parts A and B and linked it with BAB.

hash – brute force hashing of passwords with known format

The meaning of the word fortuitously It has a lot of weight in the Infosec community. In fact, some people are obsessed with it! We keep trying to get a better approximation of actual coincidence, but it can actually be impossible!

The secret to your problem is weak, not because of the reversibility of the hash (which would be very difficult), but because it is just not long enough and not fortuitously enough to have enough entropy to make a brute force attack impossible.

I see that the first "random" value is a date. It looks like the date may be relevant to the system. If the system uses sha512, this value will probably be available sometime in recent years and probably more recently!

The second "random" value is a name. I could probably get a list of names used all over the world and iterate my cracker through various combinations of them. If I could make a few guesses about a user's ethnicity, I could narrow the dictionary even further.

And you see why randomness is so important! Since these values ​​are not really random, they are much easier to guess than others, and a cracker based on dictionary attacks can be programmed to take advantage of this fact.

Security – is there an advantage in storing user passwords in a separate SQL table?

I asked a similar question about passwords in a separate database, but this is about using a separate table in the same database.

I imagine an online application with PHP in the backend and a suitable database. The actual backend software is not really important for this question.

When a user database is stolen, is it usually the entire database or just one or two of the tables? I have read many times that user data has been stolen, but it does not contain one or the other, which indicates that this was a single table.

If I keep the passwords in a separate table, it wouldn't be so bad if only the user data table were stolen.

Of course, I'm talking about password hashes, not plain text, and I take the usual precautions like prepared instructions.