Collaborate Disseminate
I try to implement a secure user login in my .net application. The first password is hashed with argon2id. The salt and the hashed password is stored in a database. SSL encryption and HttpOnly Cookie is used.
Now i want to add a multifacto… Continue reading Whats the safest way to store 2fa/mfa secret key in database?
I’m building a web REST API. Users must be able to authenticate themselves to this API.
I don’t know ahead of time which clients will want to use the API. I want to allow for the possibility of anyone creating their own client, like a cust… Continue reading Why shouldn’t I use the OAuth password grant if I have to implement a custom username+password login anyway?
I read that a password and a salt needs to be combined and then hashed. You save the result and the salt in plaintext. Is it a good practice to use the username as a salt? Why and why not?
I also read that good practice is that you need to… Continue reading Whats the safest way to store a password in database?
How do password managers and encrypted containers differ in how they handle data in encrypted and decrypted state?
Do password managers typically store data in decrypted state only in memory, while containers store data on disk in decrypte… Continue reading difference between password managers and apfs encrypted containers
Norton 360 Standard offers award-winning protection for your digital life — malware defense, cloud backup, and a VPN — for just $17.99 for a 15-month plan. Continue reading Don’t Leave Your Digital Security to Chance: Get Norton 360
I’m developing a multi-platform application using Flutter, which involves sensitive user data and requires both online and offline accessibility. To enhance security and usability, I am considering implementing a local password recovery me… Continue reading Is local password recovery for each device a viable security approach?
I think this should be the right SE, apologies otherwise
I have been researching ways to be more careful with how I handle important documents and credentials, but everything I found sounded incredibly inconvenient to use so I would like t… Continue reading Offline, multi-machine, 2-factor authentication information vault?
In $SomeCorpo there is a policy that passwords must never be stored anywhere else except employees’ heads. Paper notes, password managers, storing passwords in browsers, etc, are all forbidden. To facilitate this they are even willing to r… Continue reading Does the recommendation to use password managers also apply to corporate environments?
The web app I’m developing makes use of the concepts of "access token" and "refresh token", even though it uses its own auth scheme.
In certain situations, the web app needs to get an "impersonation token" fro… Continue reading Refresh tokens for impersonating user credentials: how to implement them?
I use a password manager to provide a decent information security level in my everyday life – by generating strong passwords on every occasion – and remembering only the one master-password.
But now I become concerned – what if by some acc… Continue reading What is a secure way to store the master-password of a password manager? [duplicate]