Collaborate Disseminate
I’m working on an authentication system that uses passwords. I would like to follow modern NIST best practices with regards to password strength.
However, I also considered it may be nice to store some meta-data about the password, such as… Continue reading Storing password strength information along with password
A web application I use forces log in again every 12 hours.
I’m struggling to see exactly how this increases security, considering the browser has user and pass pre-filled, and I simply have to click "log in" button again.
AFAIK,… Continue reading Does requiring log in every n hours actually increase security for a web app, if login info is stored in browser? [duplicate]
At my work, they don’t like different employees having ‘partially matching passwords.’
I had never thought anything of it before, but just now I realised what this means (or might mean.)
When I emailed the IT department, they were more tha… Continue reading Is it secure to block passwords that are too similar to other employees’ old passwords?
I’ve been exploring ways to strengthen password security, and one aspect of that is preventing the use of weak or commonly compromised passwords. NIST’s recommendations, for example, include the suggestion that when users create or update … Continue reading How to check user password against list of weak passwords when I use client-side hashing?
It is a security problem to allow that two different user accounts have the same email address?
If the answer is “no problem”, when the user goes to “forgot username” service, should I send an email with list of the usernames of all associ… Continue reading Is there a problem allowing two accounts to have the same recovery email?
It is a security problem to allow that two different user accounts have the same email address?
If the answer is “no problem”, when the user goes to “forgot username” service, should I send an email with list of the usernames of all associ… Continue reading Is there a problem allowing two accounts to have the same recovery email?
A while ago I wanted to deploy a service using a OCI (docker/podman) container, and I noticed to me, what seemed like a possibly distributing trend. In the build file for a lot of the containers, the password is put there in plain text in … Continue reading Passwords/password hashes in plaintext in service configs – why is this common practice?
Is there any professional consensus on what the optimal password minimum length requirement should be?
The University of Michigan recently implemented a 15 character minimum for all users.
To me (complete layperson), this seems foolish bec… Continue reading Optimal password minimum length requirement? (In particular, does a 15 character minimum make sense for most university users?)
Is it safe not to have a 2FA for a password manager itself?
It seems that using an app for TOTP authentication for a password manager could increase the security. But it turns out that in this case I should remember by heart the password f… Continue reading Security of password managers vs. risk of losing access
A security value called Restriction of Repeated Characters for Passwords (QPWDLMTREP) can be configured in IBM i. If QPWDLMTREP has a value of 1, then "the same character cannot be used more than once in a password, even if the repeat… Continue reading Does a password policy with a restriction of repeated characters increase security?