58
votes
Is this scenario an exception to the rule of never storing passwords in plaintext?
This is a really good example of insecure authentication, justified on the basis that if the site is compromised it is not possible to identify the person. If that's the case, why do we even need a ...
- 10.1k
47
votes
Is Password Hashing Bad?
This is a reasonable point being justified using incorrect claims.
The issue here isn't about having users enter passwords. How do you think they're going to log in to Google/Facebook/any other third ...
- 59.5k
30
votes
Is this scenario an exception to the rule of never storing passwords in plaintext?
"Never store passwords in plain text" is not a rule. It is a best practice based on common security breaches on naive implementations of password protections.
In that sense, the question:
Is this ...
- 2,818
21
votes
Is Password Hashing Bad?
The specific claim: "Password hashing is bad" is somewhat odd. If you are supporting passwords, hashing is pretty important. The more interesting and more contentious (based on the other ...
- 30.9k
19
votes
How to store a password so that it can be passed to another site/service which is expecting a plaintext input
You really don't want to be storing passwords on your server in a reversible manner, even with encryption - if your encryption key is compromised, all passwords will be exposed. OAuth is the standard ...
- 5,004
15
votes
If passwords are stored hashed, how would a computer know that your password is similar to the last one if you try resetting your password?
One way to implement this is if you reset password, you are usually asked to enter your old password as well. You can simply just use regular string similarity comparison in that situation because you ...
- 12.5k
12
votes
If passwords are stored hashed, how would a computer know that your password is similar to the last one if you try resetting your password?
The simple answer is that a secure system does not know if they are similar.
But some systems intentionally reduce the security for a specific password in someways to prevent new passwords from being ...
- 16.6k
11
votes
Accepted
During account creation, is it better to generate the password automatically and send it to the user, or to let the user create his own password?
The advntage of the email approach is that you ensure by this way that the user did provide a valid email account that he/she controls.
However, the email channel is notoriously insecure. This means ...
- 82.1k
10
votes
Is this scenario an exception to the rule of never storing passwords in plaintext?
In Short: No
If you forget your password, you ask the professor, who can look it up
I see no real reason in the question to ignore the secure authentification guidelines here. Many (too many) people ...
- 200
9
votes
Is Password Hashing Bad?
I would agree in a kind of "if life were perfect" sense. If you rely on Google, FB or whatever and you can force that option on every one of your users, you never ever can be held ...
- 1,348
8
votes
Is this scenario an exception to the rule of never storing passwords in plaintext?
No, but the plain text file is probably the least of your concerns.
So answer the follow:
1) Is there any information that can uniquely identify individual students, like the student’s ID, full name,...
- 1,132
8
votes
Accepted
How to compare passwords which is stored in DB in encrypted form in secure way?
Question- If are storing passwords in encrypted format in DB and in future when user login into our website how will we perform authentication?
You never, ever store passwords encrypted. Never. ...
- 105k
7
votes
Accepted
Is there a secure way to check previous passwords purely on the client-side?
Secrets Are Not Shared
Unless they are not secrets
Ironically from a security perspective that delay, is actually a feature.
To a user, for the most part they will get it right, perhaps they will ...
- 16.6k
7
votes
If passwords are stored hashed, how would a computer know that your password is similar to the last one if you try resetting your password?
If passwords are stored hashed, how would a computer know that your password is similar to the last one if you try resetting your password? Wouldn't the two passwords be totally different since one is ...
- 105k
7
votes
Accepted
How to store a password so that it can be passed to another site/service which is expecting a plaintext input
Your concerns are valid, and sadly external services don't always support desirable authentication options.
One possible method would be to encrypt the external service credentials using a key derived ...
- 18.6k
6
votes
hash-like algorithm to identify passwords which are "too similar" to previous ones from history
Similarity hashing and all such related techniques are highly insecure when applied to passwords. Currently, it seems that best practices are:
DO apply password strength metrics
minimum length
check ...
- 136k
6
votes
How to compare passwords which is stored in DB in encrypted form in secure way?
I don't know whether the interviewer asked something wrong on purpose to see whether you would correct him or he was just simply wrong. But when you used a hash function if someone breaks into the ...
- 831
5
votes
Is this scenario an exception to the rule of never storing passwords in plaintext?
Given the requirement for the professor to be able to look up forgotten passwords, there is no way to avoid storing the passwords in plain text. So assuming that the requirements are 100% inflexible, ...
- 209
5
votes
Should I check for non-existing users with correctly signed tokens?
Two options:
Use a different signing key for each separate user DB. That way tokens cannot be valid in more than one system.
Store only a random surrogate key in the token. This key is then mapped to ...
- 11.6k
5
votes
How to best obfuscate a built-in key in an application?
You need to be aware of the caveats in the comments already given, and experience has shown that even strong obfuscation of built-in keys is not safe if an application is widely distributed and there ...
- 18.6k
5
votes
How to best obfuscate a built-in key in an application?
Obviously this isn't ideal, but you know that already. If you're not sure about their security you'll at least want them to have their own set of credentials so that you can invalidate them if they ...
- 39.4k
5
votes
Accepted
Designing Password Recovery for an Offline-First Password Manager
I think the standard approach here is to have a recovery key that the user stores "in a safe place"
The key is much longer than a password and presumably harder to crack. You rely on the ...
- 84.4k
4
votes
Accepted
Client Side Hashing + Server Side Hashing
While I hope never to make the mistake, is it viable to do an unsalted hash on the front end and send that to the back end instead? Should the same or similar mistake ever be made, at the very least ...
- 9,261
4
votes
Accepted
Hashing from within the database or outside?
Hashing on the application side has one major benefit: passwords/credentials are guaranteed not to be send over the network in an unencrypted fashion, so they cannot be easily found by analysing the ...
- 220k
4
votes
Accepted
Securly storing password with revertible encryption
Your instincts are correct, this is a terrible practice.
I see a couple of possibilities:
The web server encrypts the password using keys stored in the web server, and sends the data encrypted to the ...
- 13.9k
4
votes
Is Password Hashing Bad?
In looking at this slide we should probably evaluate it against two scenario's:
An average user with weak security (password re-use, dictionary passwords, no 2FA).
A more security competent user (...
- 4,629
3
votes
How can I protect sensitive information inside a binary?
There's no foolproof way to do that. If the executable is in the hands of the potential attacker, they can ultimately get that information out of it.
The more usual way to do this is:
Host a server ...
- 653
3
votes
Accepted
hash-like algorithm to identify passwords which are "too similar" to previous ones from history
My understanding is that the typical solution for this is to keep a history of the old password hashes and associated salts.
Then when a new password is being set, apply a number of simple variations ...
- 30.9k
3
votes
Accepted
Should usernames and passwords to external systems be documented?
Credentials come in different flavors, so you need different approaches.
User credentials should only be known to the user, who might employ password storage tools to protect against forgetting ...
- 18.6k
3
votes
How do password-protected pdf documents work?
A PDF file consists of a series of objects, and dictionary is one of the most important ones.
Every document has a "trailer dictionary" which holds references to a
few important things, and ...
- 3,242
Only top scored, non community-wiki answers of a minimum length are eligible