cryptography – How do very big companies manage passwords?

Third-party password managers such as 1password, etc. are very useful for people, businesses, etc. to store passwords, but obviously I bet Facebook, Google, Twitter and other super big tech companies don’t use such third-party services and have their own password managers for their most critical passwords.

How can a very big company manage some of the world’s most sensitive passwords? (example: Gmail team root access password!)

Even with the most advanced password manager, you still have the problem of the master password.

Should this be shared among a few trusted people? Or kept by only 1 or 2 people (then what happens in the case of an accident?)

Are big companies known to use implementations of Shamir’s Secret Sharing?

More generally, what are well known methods that very big companies use to manage their most sensitive passwords? (i.e. passwords that, if lost, could generate tens of billions of $ of loss)

passwords – Diceware as a passphrase for online accounts

The purpose of passphrases is to have a strong authentication factor that is easy to remember. If you use a password manager you don’t need to be able to remember your passwords, so in most cases you don’t need passphrases at all.

The point about online services is a separate one, and it applies to both passwords and passphrases. Basically, for logging in to remote services, often your passwords don’t need to be extremely strong. The reason is simple: online bruteforce attacks are way slower than offline attacks, plus several services today also implement other security controls (rate limiting, 2-factor authentication, geolocation, alerts, etc.). However, if you are using a password manager this point is moot: the password manager lets you use strong passwords in every case, without complicating the login process at all.

malware – Found something grabbing passwords on a PC

Got a fun one — I haven’t seen this behavior before, but maybe someone here will recognize it.

Some strange behavior was observed on a PC, but Anti-Virus picked nothing up. I’ve looked at the output (see below) from the attack, and the format looks familiar, but I can’t place it.

It looks like the program was cracking passwords stored in Chrome: tabs were automatically being opened, and output was being piped to notepad. The user says he opened notepad and saw text being written live.

I’m going through an image of the drive now to see what I can find, but while I’m working that avenue, I wanted to see if anyone recognized the output of this password cracker, or maybe is even familiar with the behavior I described above.

sample text found in notepad (sanitized, obviously):

144310@&

5 144310@&

11

17

18

19

22

1443295@&

5

11 1443295@&

17

18

19

5

11

17

18

19

22

5

1

5

11

17

18

19

22

5

11

17

18

19

22

11

17

18

19

22 closed

jo

1515

b y

5

11

17

18

19

22

p

n 88411634955 88411634955

949750 y y <partial password?>

108548 071019

144305@&

11 144329@& 144315@& 1443158@&

17

18

19

5

11

17

18

19

22

225

11

17

18

19

22

mac

1443289@& 1443276@&

5 1443289@& 1443276@& 1443280@& 14432766@& 1443261@&

1443280@&

1443261@& 5

11

17

18

19

22

871202

14432766@&

more of the same…

oji

is bcrypt(strtolower(hex(md5(pass)))) ok for storing passwords?

have a large database where passwords are stored as strtolower(hex(md5(pass)))
(which is a bad way to store passwords, prone to rainbowtables, cheap to dictionary attack, no salt, etc),
and i’m tasked with switching from md5 to bcrypt,

i have to use a bcrypt implementation that silently truncates after 72 bytes, and silently truncates on the first null byte (whichever comes first), and bcrypt(strtolower(hex(md5(pass)))) would not be prone to either of those issues,

also it’s possible to retroactively apply bcrypt() to existing strtolower(hex(md5(pass))) password hashes, without requiring everyone to re-login/switch passwords,

is it a bad idea? (i don’t think so, but still want to hear what security.SE has to say, maybe something important i’m missing) (also not sure if this belongs on Security.SE or crypto.SE, anyone knows?)

passwords – Use John to crack salted SHA2-512 hash

SHA2-512 hash:
3a1be46a798dce0d880f633ce195b676839a0ce344c917a7ea1270816dcb649ce1e2b811b56fe93c9d3c4e679151180129ee9483ea39bff4d4578c4be6c77e1f

salt:
6806f2c34231eceddf156a42d3c26a2b5219ee9d55f5e3c9aea534167

The password result should be “admin”. But assume you don’t know, you only know the password may be involved in the Kali password list.

How to crack the password using john? Whats the format to store hash & slat in hash.txt that processed by John?

Firebase how to hide external resources keys and passwords

I need to securely store keys and passwords from external resources in firebase.
Let me explain better: I have a firebase project that 3 developers are working on. I would like to able only one dev to have access to some api keys and passwords from external resources and hide for the others (as partners apis keys or even Postgres user and password).

How could I do this? Is there a way to avoid access to firebase config enviroment variables? Or is there any other google solution for this?

Tks.

How can we eliminate passwords given the problems with biometric authentication?

I’ve read articles suggesting that passwords will eventually go the way of the dinosaur only to be replaced by biometrics, PINs, and other methods of authentication. This piece claims that Microsoft, Google, and Apple are decreasing password dependency because passwords are expensive (to change) and present a high security risk. On the other hand, Dr. Mike Pound at Computerphile claims that we will always need passwords (I think this is the correct video).

But as this wonderful Security StackExchange thread notes, biometrics are not perfect. Granted, the criticisms are roughly six years old, but still stand. Moreover, and perhaps I have a fundamental misunderstanding of how biometric data is stored, but what if this information is breached? Changing a password may be tedious and expensive, but at least it can be changed. I’m uncertain how biometric authentication address this problem–as I cannot change my face, iris, fingerprint, and etc.–or if it needs to address this problem at all.

Are those who argue that we can eliminate passwords prematurely popping champagne bottles or are their projections correct?

exchange – How do I setup O365 to allow IMAP? (App Passwords no found)

I have an office365 account and cannot link my email to my email client. I have MFA activated and the only client that allows me to link the mail is the same Outlook 2019 for PC or Mac.

Can I link you with other clients or mail managers?
I have followed this guide.
How do I setup O365 to allow IMAP?

I have IMAP enabled
I have application passwords
I have the correct servers, IMAP and SMTP

I was finding out and I think there is something more to do.

Multi-factor authentication – beware!

enter image description here

Does anyone know how to allow linking office365 with any mail client in IMAP?