Let’s say I have 5 copies of my .dat file on individual flash drives. I download the blockchain and run a full node and have the core wallet. I copy my .dat file into bitcoin core. I type in the old password and then change the password to a new password. Will someone who has 1 of my old .dat files and who knows the old password be able to access my bitcoins?
I’m using social sign up buttons on my WordPress site to register/sign in using Google, FB, TW…
When you are logged in, this notice appear on the top of the WordPress admin dashboard:
“Notice: You’re using the auto-generated password for your account. Would you like to change it?”
Is it possible to remove this notice?
It’s misleading users.
For online services handling economic transactions, which login method has the best conversion rates:
- Username/e-mail and password
- E-mail/phone-number & a link sent to the user (like Swedish Klarna https://www.klarna.com/se/) does?
Does anybody know of research or studies regarding this? What are the results?
I am new here, I tried searching to see if there was a similar question and I could not find any. I hope this has not been asked before.
I have a laptop from my old job, that I got to keep after I left the company. On that laptop I have an account on the business domain. I am still using that laptop for personal matters and have not had any problem for 2 years. Today I had an issue, that when I was restarting my computer, I was not able to type anything out in the password box. the mouse was working, but nothing on the log on page seemed to be active (including restart button). If I reboot and start the laptop using the safe mode I don’t have this issue. But even after restarting many times the issue persisted. I finally made a local account without a password in safe mode to see if I can log on, I had first the same issue (freezing on the logon page), but that finally worked and I was able to switch user. My question is, does this problem have anything to do with the business domain? Or is it unrelated? How should I resolve it? I appreciate any help!
There are a couple of accepted practices.
The old way. Use the OS to manage the user, run your program as an OS user. Let the OS manage the password safety ie windows service/IIS app pool/Linux… whatever
The new way. Use a configuration/service mesh such as Consul/Nomad every service gets TLS and authentication pushed out to it and centrally managed + various dns and gateway trickery
Various off the shelf products that essentially automate 1
Lock down the boxes and deploy plain text user/pass via a deployment tool which securely stores the info. Here the security boundary is the box, so you don’t let anyone log onto it except the deployment system, on which you implement your security.
Boxes get SSL keys that authenticate whatever is running on them. You can get the username/pass, but it will only work from that box. Limiting the problem.
Bad ways that people do anyway
Two way “encrypt” the username/password. Bad because, if the attacker can read the config then they can presumably read the program files as well and hence decrypt the config.
Have some central user repository that the box connects to to get the latest password. Obviously the box needs authentication in order to connect to the central location, so once an attacker has that they can retrieve any password they like.
Overall, you are trying to limit your risk and attack surface. A plain text password in config isn’t necessarily bad, as long as have other security layers in place.
For example your API has the database password. but
- The box is secured, no one can log on and read the file
- The firewall only allows database connections from the API boxes
- The db user is specific to the APIs database
- The database user only has permissions needed by the API
- The password changes often
Now if the password leaks, an attacker still has to breach the other security ontrols before any information leaks.
The main thing you are trying to protect yourself from with these service passwords is internal attackers, or more probably, internal breaches of various data protection legislation audits.
ie. sysadmin team have root access to box, box has plaintext db password, sysadmin can connect to db, password never changes.
You fill in the “who has access to personal information on the DB” question on your audit as “no-one”, but when you check the log you see the sysadmin logs in with the service user all the time to do maintenance because “everyone knows it”.
“That will never happen because we rot13 the password” will probably satisfy the auditor and your risk register, but it’s obfuscation rather than security.
this past month i noticed my macbook pro does not lock the screen after closing the lid. this happened twice in the past month. after the first time it happened, i did a fresh install and reset smc and nvram.
the problem occurred again today and the logs are filled with google chrome and launchd stuff when the lid was supposedly closed. in the morning after around 7 hours, i woke up to it unlocked and right where i left off.
anyone else experience this before? what can i do? is this a security issue?
I am working on generating a JWT token for the users who log in to my site using a plugin JWT Auth and that token will be used for a external dashboard.
The issue that I am facing is that for generating a JWT token you need to pass
/wp-json/jwt-auth/v1/token endpoint but the password that is stored in the database is hashed and cannot be decrypted so what is the solution for this? I cannot send plain text password to the endpoint.
Looking forward to your suggestions.
This is more a security/privacy question but that often touches the UX too.
You should verify e-mail and password for the same reasons you do that for all users. If a user tries to log in with a non-registered e-mail address and it tells that the e-mail address was not found, that is a potential security and privacy risk.
You can show that the user is banned only when the e-mail and password combination is correct. When banned users forget their password, treat them the same as other users and let them reset the password by sending them an e-mail. In that e-mail you can mention that it is not possible to reset the password because they have been banned from the site.
If there is a widely accessible TOTP website (prototype: https://depperm.github.io/) that allows users to set a date and secret they can remember or a package that allows companies/developers to create their own domain/site specific tool, what possible security flaws are there beyond having information phished, key logged, or copied in person?
The date and secret would be stored encrypted on the database (and set in the same manner as a password), so when the OTP comes in a new token can be generated from the decrypted info and validated against the incoming one.
I am aware of the potential issue of client time being different than server time, but I believe there a viable solutions for this problem and I don’t see it as a security flaw but a usability flaw
There is no OOTB Magento mechanism to restrict the usage of previously used passwords.
The only settings regarding the customers passwords can be found here https://docs.magento.com/user-guide/configuration/customers/customer-configuration.html#password-options and are related to setting the password strength, number of requests for resetting the pass, lockout time and some other generic stuff, but no setting regarding previously used passwords.