Collaborate Disseminate
I’ve long since been storing credentials to databases and services in local configuration files during development. Sometimes these need to be to production systems, which makes this a security issue.
I’m wondering what the best practice h… Continue reading Local development credential manager and best practices
I have noticed on most websites that all previous password reset links are automatically expired when a new one is requested.
Why is this so common and what are some possible consequences if this isn’t done?
Continue reading Should newly password links reset old ones? if so, why?
I’m curious what is best practice. I’m migrating a large export of an existing password manager data like lastpass, 1password, or dashlane into another password manager. Some of these services marked some of the passwords as compromised. I… Continue reading Migrating Large Export of Dashlane, 1password, lastpass data to another password manager. Delete old sites?
Linux pass is a program that lets you store passwords in regular text files, which you it then encrypts with your GPG key.
I’m confused at how this is considered secure. The GPG key has a passphrase but looks like it normally gets cached i… Continue reading What exactly is the security model of pass?
We’re building an application that needs to log into a website using built-in credentials. It’s not optimal to say the least, but we’re stuck with "knowing" the username and password beforehand (hence stick them into the applicat… Continue reading How to best obfuscate a built-in key in an application?
Is the 32 OATH QR code account limit on Yubikeys due to a storage constraint?
Because the Yubikey 5 series has been out for a few years now it’d be amazing if there is a new version released soon with increased OATH account capacity.
… Continue reading Why are Yubico Yubikeys limited to 32 OATH accounts?
This feature is enabled by default. It says the usernames and passwords would be encrypted before sending to google. But google would know the encryption keys it used and to compare it with leaked username/password combinations the google … Continue reading How does Google Chrome’s "Warn you if passwords are exposed in a data breach" feature work?
We’ve got an Angular app that calls APIs with JWT token authentication (so an auth token and a refresh token). Now at some point the user changes his password (while normally logged in, so not with a "reset password" logic when h… Continue reading Do you need to invalidate JWT token upon password change?
Yes, I do use a password manager. Yes, I do use complicated long passwords, a la XKCD.
However, sometimes I fail repeatedly when entering the master password to my password manager. Which has no "show" button, presumably due to… Continue reading What are the risks of typing a password in a terminal, just to see before pasting it?
There is two different passwords for a single user.
I’m hashing both for future validation. I’m currently using a single unique salt for the user, but each is hashed with a different algorithms (PBKDF2 with different algorithm and differen… Continue reading Is there any benefit to use different salt for different encryption algorithms for same user