Collaborate Disseminate
How does Linux know if a new password is a "wrapped" version of an old password?
(or, the process of creating a new password) know "certain" parts of one’s password?
Let’s say I have the password abcEFGH123321 and I set… Continue reading How does Linux know if a new password is a "wrapped" version of a old one?
I do not quite understand why it is common practice to require a difficult to remember password with alphanumeric and special character requirements, while also having an upper limit of 32 characters. Wouldn’t it be easier for everyone to … Continue reading Why do password requirements exist while limiting the upper character count? [duplicate]
To my understanding, it is common security practice to lock the account after X failed login attempts in N minute. Usually, the account will be locked for M minutes.
I noticed that most of the time X is 3 and usually the account needs a re… Continue reading It is common for an account to be locked after X amount of failed logins, what are the best practice of selecting x?
I own a company that has hired an IT employee. He has all passwords to servers, work stations and data. He is refusing to share or supply these passwords (Keys to the Kingdom) on the grounds of security. He has pointed me to your site alon… Continue reading Owner vs IT employee. Security and passwords
In the one hand we have a google’s password store (or things like LastPass, 1Password, etc.) and it’s ability to autofill your credentials when you need it.
In the other hand we have a password manager like ‘pass’ or ‘passpie’, which provi… Continue reading How does the autofilling of private user credentials work?
This question is inspired by Is there any security risk in not setting a maximum password length?.
Specifically the accepted answer https://security.stackexchange.com/a/238033/9640 says limits are recommended to avoid exhausting the server… Continue reading Why limit password length?
I want to understand the risk in reusing complex password.
Unique complex passwords for each and every email account, say 3.
All other accounts, bank, medical, social, share a complex password, 1
This makes a total of 4 passwords.
Context
NIST SP 800-63b gives the following guidance for password forms (aka login pages):
Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, whi… Continue reading Password entry: are "paste from password manager" and "eyeball to view passwords" mutually-exclusive features?
I’m working on an app where some accounts use passwordless authentication by email (using magic links) and some require a password to login. Is it okay to represent this rule in the account table by having a nullable password_digest? Would… Continue reading Is it unsafe to have some users with passwords and some without?
In the OAuth website here it says "Most services provide a way for developers to retrieve the secret of an existing application, although some will only display the secret one time and require the developer store it themselves immedia… Continue reading What is the right way to let user retrieve client secret in OAuth 2?