Collaborate Disseminate
My understanding of the standard best practice way to handle passwords is:
Establish a secure encrypted connection between client and server.
Client sends password in plaintext over this encrypted connection.
Server gets plaintext passw… Continue reading Why aren’t passwords also hashed on client side on desktop applications?
Login prompts on many systems (like Ubuntu) have a delay if an incorrect password is used. I understand this is to inhibit brute force attacks. Would there be any security implications to having no delay if and only if an empty passphrase … Continue reading Security implications to removing delay on empty passwords?
It has become clear that asking users to regularly change their passwords does not improve security, and has thus been forbidden e.g. by NIST and BSI.
Does this advice also apply for technical passwords for e.g. service accounts, that are … Continue reading Password change frequency for technical accounts
I was reading question 180243 which states that using a password vault is the best option for credential storage.
However this is rather cumbersome to setup. For a lower security use case (so no PII access or anything really damaging, the … Continue reading Reasonable model for Storing credentials for use in scripts
I was reading question 180243 which states that using a password vault is the best option for credential storage.
However this is rather cumbersome to setup. For a lower security use case (so no PII access or anything really damaging, the … Continue reading Reasonable model for Storing credentials for use in scripts
I don’t understand why people recommend password managers. If my password that I reuse for websites a,b,c gets acquired somehow, then my credentials for websites a,b,c are compromised. On the other hand, if my master password for the passw… Continue reading Why is using a password manager considered a good practice? [duplicate]
I have a server set up to run a PowerShell script every 15 minutes. This script needs to make API requests with keys and passwords. The script runs even when no user is logged in, so encryption based on the user profile wouldn’t make sense… Continue reading What’s the best method of securing keys/passwords used by a PowerShell script that runs when no user is logged in, using only one server, for free?
I was thinking of implementing this in software, starting with one password, with each new release being derived from that initial password.
(trying to find the name of this technique, I think it’s called a “hash chain”)
That way you can g… Continue reading Encryption password in program, to secure its centrally-stored settings?
Learn how to execute the fundamentals, harden your defenses, and protect your business’s network security with no high-tech software. Continue reading Setting Up Your Network Security? Avoid These 4 Mistakes
In the NIST SP 800-132, they specified two ways to use the data protection key (DPK) that is derived from a password. One of them is to use the DPK to encrypt data, and then, if I am not mistaken, destroying the DPK. To verify whether an… Continue reading Why is "not storing data protection keys" not a popular choice?