Collaborate Disseminate
A huge problem is PIN guessing from birthdays (dd/mm/yy lends to a 6 digit number that is easily guessed, dd/mm/yyyy for 8 digits). It’s very often that a PIN number is taken from someone’s birthday or year, either their own or relatives. … Continue reading Why are PIN codes usually even-numbered (4 or 6)?
A huge problem is PIN guessing from birthdays (dd/mm/yy lends to a 6 digit number that is easily guessed, dd/mm/yyyy for 8 digits). It’s very often that a PIN number is taken from someone’s birthday or year, either their own or relatives. … Continue reading Why are PIN codes usually of even length (4 or 6)?
Is it possible to design a system with two passwords prompts?
The system will have to prompt for two passwords
The system would have to validate first password before prompting for second password
User cannot be prompted for second passwo… Continue reading Is it possible to design a system with two passwords?
How do I increase the maximum number of characters allowed in the BitLocker password? The current maximum is 20. I know that it’s possible, because I have a second machine where the length is 8-256 characters.
The group policy option &quo… Continue reading How to increase maximum BitLocker password length? [migrated]
I’m doing Red Hat (RHEL 6.5) security settings.
If I set up the two files as shown below, is there no security effect on each other?
/etc/pam.d/system-auth
password requisite pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit… Continue reading Red Hat Password Security Settings(/etc/pam.d/system-auth, /etc/login.defs)
At Bugzilla, I typed a new password that met the requirements stated on the account creation page. But I received:
The password does not meet our security requirements for the
following reason: not enough different characters or classes
For the sake of reproducible example, password attempt can be: “Qazxswedc123” – I got same message for that one too.
Web search found Does bugzilla.mozilla.org’s “new” password requirements make sense for that type of account/service? however those question was different.
https://wiki.mozilla.org/BMO/UserGuide/Passwords
must be at least 12 characters in length
must not contain parts of your email address, or your real name
must be complex, which means:
must be a passphrase of at least four words
OR
must contain a mixture of letters and symbols, containing characters from 3 out of the following 4 character classes:
lowercase letters, uppercase letters, numbers, and other symbols
P.S. they could have at least pretended to have a valid reason, “must not contain parts of your email address” may mean any letter from the address.
I’m trying to contact Mozilla via other means, maybe they accept it as a bug.
Continue reading Is it necessary for security to have undisclosed password requirements? [closed]
For work and other official matters, I am often forced to use websites and apps which clearly have some kind of cargo cult going on in their security department, given that they impose extremely foolish requirements on passwords:
Many services still restrict the special characters allowed in passwords and similar with the argument that it prevents injection attacks. Now, there are many good arguments against this such as avoiding unnecessary obstructions, character… Continue reading Is character restriction ever a safe mechanism against code injection / better than input sanitisation?
I want to hash passwords for security, but strong bcrypt by nature eat up a bit of resources of the server. So I was thinking to do the encryption on the client side. This would prevent the password from being known in the case the off cha… Continue reading Is client-side bcrypt sent over tls + server-side sha hmac secure for password storage?
I know that support for Argon2 was released with OpenLdap 2.4.5 according to this link https://bugs.openldap.org/show_bug.cgi?id=8575, but what if I want to use it with a previous version like 2.4.4 is there a way of doing this? Also if ar… Continue reading How to use scrypt or Argon for Openldap version < 2.4.5