Tag: password

Changing bitcoin core password

Let’s say I have 5 copies of my .dat file on individual flash drives. I download the blockchain and run a full node and have the core wallet. I copy my .dat file into bitcoin core. I type in the old password and then change the password to a new password. Will someone who has 1 of my old .dat files and who knows the old password be able to access my bitcoins?

Log in: username + password, or pin-code [closed]

For online services handling economic transactions, which login method has the best conversion rates:

  1. Username/e-mail and password
  2. E-mail/phone-number & a link sent to the user (like Swedish Klarna https://www.klarna.com/se/) does?

Does anybody know of research or studies regarding this? What are the results?

security – mask username and password in service file, or better approach

There are a couple of accepted practices.

  1. The old way. Use the OS to manage the user, run your program as an OS user. Let the OS manage the password safety ie windows service/IIS app pool/Linux… whatever

  2. The new way. Use a configuration/service mesh such as Consul/Nomad every service gets TLS and authentication pushed out to it and centrally managed + various dns and gateway trickery

  3. Various off the shelf products that essentially automate 1

  4. Lock down the boxes and deploy plain text user/pass via a deployment tool which securely stores the info. Here the security boundary is the box, so you don’t let anyone log onto it except the deployment system, on which you implement your security.

  5. Boxes get SSL keys that authenticate whatever is running on them. You can get the username/pass, but it will only work from that box. Limiting the problem.

Bad ways that people do anyway

  1. Two way “encrypt” the username/password. Bad because, if the attacker can read the config then they can presumably read the program files as well and hence decrypt the config.

  2. Have some central user repository that the box connects to to get the latest password. Obviously the box needs authentication in order to connect to the central location, so once an attacker has that they can retrieve any password they like.

Overall, you are trying to limit your risk and attack surface. A plain text password in config isn’t necessarily bad, as long as have other security layers in place.

For example your API has the database password. but

  1. The box is secured, no one can log on and read the file
  2. The firewall only allows database connections from the API boxes
  3. The db user is specific to the APIs database
  4. The database user only has permissions needed by the API
  5. The password changes often

Now if the password leaks, an attacker still has to breach the other security ontrols before any information leaks.

The main thing you are trying to protect yourself from with these service passwords is internal attackers, or more probably, internal breaches of various data protection legislation audits.

ie. sysadmin team have root access to box, box has plaintext db password, sysadmin can connect to db, password never changes.

You fill in the “who has access to personal information on the DB” question on your audit as “no-one”, but when you check the log you see the sysadmin logs in with the service user all the time to do maintenance because “everyone knows it”.

“That will never happen because we rot13 the password” will probably satisfy the auditor and your risk register, but it’s obfuscation rather than security.

crash – Macbook big sur not asking for password after closing lid

this past month i noticed my macbook pro does not lock the screen after closing the lid. this happened twice in the past month. after the first time it happened, i did a fresh install and reset smc and nvram.

the problem occurred again today and the logs are filled with google chrome and launchd stuff when the lid was supposedly closed. in the morning after around 7 hours, i woke up to it unlocked and right where i left off.

anyone else experience this before? what can i do? is this a security issue?

plugins – Generate JWT Token without username and password

I am working on generating a JWT token for the users who log in to my site using a plugin JWT Auth and that token will be used for a external dashboard.

The issue that I am facing is that for generating a JWT token you need to pass username and password as form-data to /wp-json/jwt-auth/v1/token endpoint but the password that is stored in the database is hashed and cannot be decrypted so what is the solution for this? I cannot send plain text password to the endpoint.

Looking forward to your suggestions.

one time password – What are the security flaws in web based TOTP app?

If there is a widely accessible TOTP website (prototype: https://depperm.github.io/) that allows users to set a date and secret they can remember or a package that allows companies/developers to create their own domain/site specific tool, what possible security flaws are there beyond having information phished, key logged, or copied in person?

The date and secret would be stored encrypted on the database (and set in the same manner as a password), so when the OTP comes in a new token can be generated from the decrypted info and validated against the incoming one.

I am aware of the potential issue of client time being different than server time, but I believe there a viable solutions for this problem and I don’t see it as a security flaw but a usability flaw

magento2 – Magento 2: Reset Password is taking previously used password

There is no OOTB Magento mechanism to restrict the usage of previously used passwords.

The only settings regarding the customers passwords can be found here https://docs.magento.com/user-guide/configuration/customers/customer-configuration.html#password-options and are related to setting the password strength, number of requests for resetting the pass, lockout time and some other generic stuff, but no setting regarding previously used passwords.