Collaborate Disseminate
Windows 10 and 11 have an authentication method based on entering a lower complexity code under certain circumstances. This is widely referred to as a PIN, indicating that these are widely thought of as number only sequences.
This answer … Continue reading What is the logic of using numbers for Windows PIN?
The Register has an article on Passkeys, and one of the issues they use to argue that they are unlikely to be widely adopted is:
The process is bootstrapped by getting the user to authenticate using a traditional approach (such as usernam… Continue reading Does a Passkey authentication system need bootstrapping by username and password?
Building on the theme presented in this previous question, does Window’s current PIN input userflow break standard password security practices?
Behavior: When the user inputs the correct number of digits in the PIN, Windows displays an err… Continue reading Does Windows 11 PIN Behavior Break Password Security Conventions?
Lets assume I am building a pastebin-like web app: users can upload text notes and share them. Users should be able to password-protect notes. Whenever viewing such a note, other users must first provide the correct password to be able to … Continue reading Password checks in backend vs. password encrypted data sent to frontend?
Stuart Schechter makes some good points on the history of bad password policies:
Morris and Thompson’s work brought much-needed data to highlight a problem that lots of people suspected was bad, but that had not been studied scientifically. Their work was a big step forward, if not for two mistakes that would impede future progress in improving passwords for decades.
First, was Morris and Thompson’s confidence that their solution, a password policy, would fix the underlying problem of weak passwords. They incorrectly assumed that if they prevented the specific categories of weakness that they had noted, that the result would be something strong. After implementing a requirement that password have multiple characters sets or more total characters, they wrote:…
Continue reading Good Essay on the History of Bad Password Policies
Microsoft is warning Azure cloud users that a Chinese controlled botnet is engaging in “highly evasive” password spraying. Not sure about the “highly evasive” part; the techniques seem basically what you get in a distributed password-guessing attack:
“Any threat actor using the CovertNetwork-1658 infrastructure could conduct password spraying campaigns at a larger scale and greatly increase the likelihood of successful credential compromise and initial access to multiple organizations in a short amount of time,” Microsoft officials wrote. “This scale, combined with quick operational turnover of compromised credentials between CovertNetwork-1658 and Chinese threat actors, allows for the potential of account compromises across multiple sectors and geographic regions.”…
The Cybersecurity and Infrastructure Security Agency and Federal Bureau of Investigation assert that C, C++, and other memory-unsafe languages contribute to potential security breaches. Continue reading Software Makers Encouraged to Stop Using C/C++ by 2026
I was thinking of implementing this in software, starting with one password, with each new release being derived from that initial password.
(trying to find the name of this technique, I think it’s called a “hash chain”)
That way you can g… Continue reading Encryption password in program, to secure its centrally-stored settings?
According to my research, if you want to store passwords securely, you should use built-in hash functions that have been vetted by the professionals. Best practices recommend that you do not add a hard-coded pepper.
But why not?
Let’s say:… Continue reading Why do best practices recommend against adding your own pepper to passwords before hashing?
Normal ‘deleting’ of data and actually randomly overwriting it are very different in terms of security. So, just deleting passwords is not considered secure, because they can be recovered.
And although nearly all browsers encrypt their sav… Continue reading Are the encrypted browser-saved passwords randomly overwritten when deleted?