Collaborate Disseminate
Assume that I am not a layman, but a person who knows a lot of things about password, public key cryptography, information security, password managers, etc. I am trying to cover all the most likely threats and one of the potential threats … Continue reading How likely am I to forget my password given a head injury? [closed]
I need to implement a web app for a self-service change password use case for on-premise Active Directory users,
which is accessible over the internet.
The service must allow the users to set a new password, so I need to send the new passw… Continue reading Web app architecture- set a new password for a on-premises AD setup
Researchers have used thermal cameras and ML guessing techniques to recover passwords from measuring the residual heat left by fingers on keyboards. From the abstract:
We detail the implementation of ThermoSecure and make a dataset of 1,500 thermal images of keyboards with heat traces resulting from input publicly available. Our first study shows that ThermoSecure successfully attacks 6-symbol, 8-symbol, 12-symbol, and 16-symbol passwords with an average accuracy of 92%, 80%, 71%, and 55% respectively, and even higher accuracy when thermal images are taken within 30 seconds. We found that typing behavior significantly impacts vulnerability to thermal attacks, where hunt-and-peck typists are more vulnerable than fast typists (92% vs 83% thermal attack success if performed within 30 seconds). The second study showed that the keycaps material has a statistically significant effect on the effectiveness of thermal attacks: ABS keycaps retain the thermal trace of users presses for a longer period of time, making them more vulnerable to thermal attacks, with a 52% average attack accuracy compared to 14% for keyboards with PBT keycaps…
Continue reading Recovering Passwords by Measuring Residual Heat
Could someone please help me tell what encryption type was used to encrypt these numbers "101110347" to these alphanumeric letters "DRjub64YUZ7bXt2FRZo".
I also have dozens of these plaintext numbers and ciphertexts if … Continue reading encryption type and how to get the key [closed]
Entropy/Length/Complexity of a password is pretty straight forward and cant really vary much.
For Dictionary Similarity, i would assume that a software just checks how many characters in a password would need to change to match any Diction… Continue reading Is a sufficiently long password unsafe just because it only consists of 2-3 letter long mixed-case dictionary words and numbers?
As we can see on this page, BLAKE-3 is about 14 times faster than SHA-256. Is it as safe as SHA-256? I would like to use it for my passwords which are 32 cryptographically random bytes, because my API uses application-layer encryption whic… Continue reading BLAKE-3 vs SHA-256 security
Okay, I know it might seem this has already been beaten to death but, hear me out. I am including a fairly good password strength algorithm for my app for users on sign-up. This one, which I’ve copied (with minor adjustments). I also want … Continue reading What is the best way to calculate true password entropy for human created passwords?
I need to hash 32 cryptographically random bytes, but later the verification the value with hash must be very fast, so I decided to use SHA256. Is it a security issue if my passwords are 32 cryptographically random bytes? Maybe you know so… Continue reading SHA256 for hashing 32 cryptographicaly random bytes
Best practices say that when users choose a password (at signup or when changing an existing password), the application should reject that password if it appears on a list of passwords known to be unsafe. For example, NIST Special Publicat… Continue reading Should one reject login attempts when the correct password is newly added to a password deny list?
I’m using an Apache Proxy with LDAP modules for authentication management. But I don’t want to hardcode the password of the LDAP service user to query the domain.
I have already used other applications that work with secure storage or wall… Continue reading How to avoid hardcoded passwords on Apache httpd config file [migrated]