Revisiting: Pre-hash password before applying bcrypt to avoid restricting password length

Okta released a security advisory 4 days ago, stating that accounts with username longer than 52 characters can login with arbitrary password under specific conditions.
Some people in X/Twitter suspect that Okta use userid + username + pas… Continue reading Revisiting: Pre-hash password before applying bcrypt to avoid restricting password length

Is it secure to expose a salted bcrypt hash IF it is maximum length random secure password?

Is it secure to expose a salted bcrypt hash (minimum 14 cost) if the used password is 72 characters (maximum) byte long, randomly generated letters, numbers, and special characters using secure generator?
Is it secure against offline brute… Continue reading Is it secure to expose a salted bcrypt hash IF it is maximum length random secure password?

Best practices for storing passwords for PHP and MySQL applications [duplicate]

I am creating a simplified lead and call management system for a friend’s small business.
I would like to know the best practices for hardening password storage and verification using PHP 7.4 and MySQL 7.4.30.
I would like something very s… Continue reading Best practices for storing passwords for PHP and MySQL applications [duplicate]

Is client-side bcrypt sent over tls + server-side sha hmac secure for password storage?

I want to hash passwords for security, but strong bcrypt by nature eat up a bit of resources of the server. So I was thinking to do the encryption on the client side. This would prevent the password from being known in the case the off cha… Continue reading Is client-side bcrypt sent over tls + server-side sha hmac secure for password storage?

How do I properly secure my login using bcrypt in react and a python-flask backend?

I want to store the passwords of accounts hashed into a database that can be accessed through a python-flask application. When you would login, this python application is supposed to provide you with a token that will be saved in the front… Continue reading How do I properly secure my login using bcrypt in react and a python-flask backend?