Search Results

Search found 10747 results on 430 pages for 'password'.

Page 57/430 | < Previous Page | 53 54 55 56 57 58 59 60 61 62 63 64  | Next Page >

  • Implementing parts of rfc4226 (HOTP) in mysql

    - by Moose Morals
    Like the title says, I'm trying to implement the programmatic parts of RFC4226 "HOTP: An HMAC-Based One-Time Password Algorithm" in SQL. I think I've got a version that works (in that for a small test sample, it produces the same result as the Java version in the code), but it contains a nested pair of hex(unhex()) calls, which I feel can be done better. I am constrained by a) needing to do this algorithm, and b) needing to do it in mysql, otherwise I'm happy to look at other ways of doing this. What I've got so far: -- From the inside out... -- Concatinate the users secret, and the number of time its been used -- find the SHA1 hash of that string -- Turn a 40 byte hex encoding into a 20 byte binary string -- keep the first 4 bytes -- turn those back into a hex represnetation -- convert that into an integer -- Throw away the most-significant bit (solves signed/unsigned problems) -- Truncate to 6 digits -- store into otp -- from the otpsecrets table select (conv(hex(substr(unhex(sha1(concat(secret, uses))), 1, 4)), 16, 10) & 0x7fffffff) % 1000000 into otp from otpsecrets; Is there a better (more efficient) way of doing this?

    Read the article

  • Where are the real risks in network security?

    - by Barry Brown
    Anytime a username/password authentication is used, the common wisdom is to protect the transport of that data using encryption (SSL, HTTPS, etc). But that leaves the end points potentially vulnerable. Realistically, which is at greater risk of intrusion? Transport layer: Compromised via wireless packet sniffing, malicious wiretapping, etc. Transport devices: Risks include ISPs and Internet backbone operators sniffing data. End-user device: Vulnerable to spyware, key loggers, shoulder surfing, and so forth. Remote server: Many uncontrollable vulnerabilities including malicious operators, break-ins resulting in stolen data, physically heisting servers, backups kept in insecure places, and much more. My gut reaction is that although the transport layer is relatively easy to protect via SSL, the risks in the other areas are much, much greater, especially at the end points. For example, at home my computer connects directly to my router; from there it goes straight to my ISPs routers and onto the Internet. I would estimate the risks at the transport level (both software and hardware) at low to non-existant. But what security does the server I'm connected to have? Have they been hacked into? Is the operator collecting usernames and passwords, knowing that most people use the same information at other websites? Likewise, has my computer been compromised by malware? Those seem like much greater risks. What do you think?

    Read the article

  • Authorizing a computer to access a web application

    - by HackedByChinese
    I have a web application, and am tasked with adding secure sign-on to bolster security, akin to what Google has added to Google accounts. Use Case Essentially, when a user logs in, we want to detect if the user has previously authorized this computer. If the computer has not been authorized, the user is sent a one-time password (via email, SMS, or phone call) that they must enter, where the user may choose to remember this computer. In the web application, we will track authorized devices, allowing users to see when/where they logged in from that device last, and deauthorize any devices if they so choose. We require a solution that is very light touch (meaning, requiring no client-side software installation), and works with Safari, Chrome, Firefox, and IE 7+ (unfortunately). We will offer x509 security, which provides adequate security, but we still need a solution for customers that can't or won't use x509. My intention is to store authorization information using cookies (or, potentially, using local storage, degrading to flash cookies, and then normal cookies). At First Blush Track two separate values (local data or cookies): a hash representing a secure sign-on token, as well as a device token. Both values are driven (and recorded) by the web application, and dictated to the client. The SSO token is dependent on the device as well as a sequence number. This effectively allows devices to be deauthorized (all SSO tokens become invalid) and mitigates replay (not effectively, though, which is why I'm asking this question) through the use of a sequence number, and uses a nonce. Problem With this solution, it's possible for someone to just copy the SSO and device tokens and use in another request. While the sequence number will help me detect such an abuse and thus deauthorize the device, the detection and response can only happen after the valid device and malicious request both attempt access, which is ample time for damage to be done. I feel like using HMAC would be better. Track the device, the sequence, create a nonce, timestamp, and hash with a private key, then send the hash plus those values as plain text. Server does the same (in addition to validating the device and sequence) and compares. That seems much easier, and much more reliable.... assuming we can securely negotiate, exchange, and store private keys. Question So then, how can I securely negotiate a private key for authorized device, and then securely store that key? Is it more possible, at least, if I settle for storing the private key using local storage or flash cookies and just say it's "good enough"? Or, is there something I can do to my original draft to mitigate the vulnerability I describe?

    Read the article

  • Why does Silverlight 4 ClientHttp WebRequest prompt the user for a login and password?

    - by James Cadd
    One of the new features of the client http stack in Silverlight 4 is the ability to supply network credentials. When I use this feature Windows shows a "Windows Security" message box that prompts the user for a login and password (text in the box is "The server xx at xx requires a username and password. Warning: This server is requesting that your username and password be sent in an insecure manner (basic authentication without a secure connection)."). I'm setting the login and password as shown below so I'm not sure why this is displayed. My code is: var request = WebRequestCreator.ClientHttp.Create(new Uri("http://myserver:8080/gui/?list=1")); request.Credentials = new NetworkCredential("login", "password"); request.BeginGetResponse(new AsyncCallback(OnRequestComplete), request); If I enter the username and password into the messagebox the request completes successfully. For a number of reasons I'd rather prompt the user for the login and password so I'd like to avoid the messagebox if possible. My setup is Silverlight 4 final, VS 2010 final, Windows 7 x86. The application is out of browser with elevated permissions.

    Read the article

  • Bypass BIOS password set by faulty Toshiba firmware on Satellite A55 laptop?

    - by Brian
    How can the CMOS be cleared on the Toshiba Satellite A55-S1065? I have this 7 year old laptop that has been crippled by a glitch in its BIOS: 'A "Password =" prompt may be displayed when the computer is turned on, even though no power-on password has been set. If this happens, there is no password that will satisfy the password request. The computer will be unusable until this problem is resolved. [..] The occurrence of this problem on any particular computer is unpredictable -- it may never happen, but it could happen any time that the computer is turned on. [..] Toshiba will cover the cost of this repair under warranty until Dec 31, 2010.' -Toshiba As they stated, this machine is "unusable." The escape key does not bypass the prompt (nor does any other key), thus no operating system can be booted and no firmware updates can be installed. After doing some research, I found solutions that have been suggested for various Toshiba Satellite models afflicted by this glitch: "Make arrangements with a Toshiba Authorized Service Provider to have this problem resolved." -Toshiba (same link). Even prior to the expiration of Toshiba's support ("repair under warranty until Dec 31, 2010"), there have been reports that this solution is prohibitively expensive, labor charges accruing even when the laptop is still under warranty, and other reports that are generally discouraging: "They were unable to fix it and the guy who worked on it said he couldn’t find the jumpers on the motherboard to clear the BIOS. I paid $39 for my troubles and still have the password problem." - Steve. Since the costs of the repairs can now exceed the value of the hardware, it would seem this is a DIY solution, or a non-solution (i.e. the hardware is trash). Build a Toshiba parallel loopback by stripping and soldering the wires on a DB25 plug to connect connect these pins: 1-5-10, 2-11, 3-17, 4-12, 6-16, 7-13, 8-14, 9-15, 18-25. -CGSecurity. According to a list of supported models on pwcrack, this will likely not work for my Satellite A55-1065 (as well as many other models of similar age). -pwcrack Disconnect the laptop battery for an extended period of time. Doesn't work, laptop sat in a closet for several years without the battery connected and I forgot about the whole thing for awhile. The poor thing. Clear CMOS by setting the proper jumper setting or by removing the CMOS (RTC) battery, or by short circuiting a (hidden?) jumper that looks like a pair of solder marks -various sources for various Satellite models: Satellite A105: "you will see C88 clearly labeled right next the jack that the wireless card plugs into. There are two little solder squares (approx 1/16") at this location" -kerneltrap Satellite 1800: "Underneath the RAM there is black sticker, peel off the black sticker and you will reveal two little solder marks which are actually 'jumpers'. Very carefully hold a flat-head screwdriver touching both points and power on the unit briefly, effectively 'shorting' this circuit." -shadowfax2020 Satellite L300: "Short the B500 solder pads on the system board." -Lester Escobar Satellite A215: "Short the B500 solder pads on the system board." -fixya Clearing the CMOS could resolve the issue, but I cannot locate a jumper or a battery on this board. Nothing that looks remotely like a battery can be removed (everything is soldered). I have looked closely at the area around the memory and do not see any obvious solder pads that could be a secret jumper. Here are pictures (click for full resolution) : Where is the jumper (or solder pads) to short circuit and wipe the CMOS on this board? Possibly related questions: Remove Toshiba laptop BIOS password? Password Problem Toshiba Satellite..

    Read the article

  • IIS 7.0 Web Deploy authentication fails after changing Windows password... help?

    - by Lucifer Sam
    I have a very basic Windows 2008 R2 Web Server running IIS 7.0. This is just a test/practice server, so I enabled Web Deployment using Windows Authentication. All was well and I was able to deploy easily from VS 2010 using the Administrator account credentials. After changing the Administrator account password, I get the following error when trying to deploy from Visual Studio (using the new password, of course): Error 1 Web deployment task failed... ...An unsupported response was received. The response header 'MSDeploy.Response' was '' but 'v1' was expected. The remote server returned an error: (401) Unauthorized. If I change the Administrator password back to the original one and try to publish using it everything works fine again. So what am I missing? Am I supposed to do something in IIS after changing the password? Thanks!

    Read the article

  • How do I decrypt a password-protected PDF on OSX?

    - by Brant Bobby
    I have a PDF that requires a password to view. I know what the password is. I frequently open this PDF to print it, and find entering the password each time incredibly annoying. How can I remove the password from the PDF? Since I need to print it, simply taking a screenshot isn't a good solution. I tried printing the file to a PDF, but Preview disables the "Save as PDF..." option in the print dialog.

    Read the article

  • Why does PSEXEC work if I don't specify a password?

    - by Kev
    When I run PSEXEC to launch a process on a remote machine, if I specify the password in the command line it fails with: PsExec could not start cmd.exe on web1928: Logon failure: unknown user name or bad password. psexec \\web1928 -u remoteexec -p mypassword "cmd.exe" If I just specify: psexec \\web1928 -u remoteexec "cmd.exe" and type in the password it works just fine. The originating server is Windows 2003 and the remote server is Windows 2008 SP2.

    Read the article

  • ASP.NET Membership Password Hash -- .NET 3.5 to .NET 4 Upgrade Surprise!

    - by David Hoerster
    I'm in the process of evaluating how my team will upgrade our product from .NET 3.5 SP1 to .NET 4. I expected the upgrade to be pretty smooth with very few, if any, upgrade issues. To my delight, the upgrade wizard said that everything upgraded without a problem. I thought I was home free, until I decided to build and run the application. A big problem was staring me in the face -- I couldn't log on. Our product is using a custom ASP.NET Membership Provider, but essentially it's a modified SqlMembershipProvider with some additional properties. And my login was failing during the OnAuthenticate event handler of my ASP.NET Login control, right where it was calling my provider's ValidateUser method. After a little digging, it turns out that the password hash that the membership provider was using to compare against the stored password hash in the membership database tables was different. I compared the password hash from the .NET 4 code line, and it was a different generated hash than my .NET 3.5 code line. (Tip -- when upgrading, always keep a valid debug copy of your app handy in case you have to step through a lot of code.) So it was a strange situation, but at least I knew what the problem was. Now the question was, "Why was it happening?" Turns out that a breaking change in .NET 4 is that the default hash algorithm changed to SHA256. Hey, that's great -- stronger hashing algorithm. But what do I do with all the hashed passwords in my database that were created using SHA1? Well, you can make two quick changes to your app's web.config and everything will be OK. Basically, you need to override the default HashAlgorithmTypeproperty of your membership provider. Here are the two places to do that: 1. At the beginning of your element, add the following element: <system.web> <machineKey validation="SHA1" /> ... </system.web> 2. On your element under , add the following hashAlgorithmType attribute: <system.web> <membership defaultProvider="myMembership" hashAlgorithmType="SHA1"> ... </system.web> After that, you should be good to go! Hope this helps.

    Read the article

  • Is there Powershell way to re-apply a restored password for the IIS IUSR account?

    - by Philippe Monnet
    On one of our IIS web servers the IUSR account suddenly expired or got corrupted, I recovered the password from the IIS metabase (using Cscript adsutil.vbs get w3svc\anonymoususerpass after switching IsSecureProperty = False). I then reset the password accordingly. Now I have to re-key that password on the Directory Security tab of all virtual directories (for the anonymous account) of all web sites on that server. Is there a way to automate this using Powershell? (I have searched so far in vain)

    Read the article

  • Is an 'if password == XXXXXXX' enough for minimum security?

    - by Morgan Herlocker
    If I create a login for an app that has middle to low security risk (in other words, its not a banking app or anything), is it acceptable for me to verify a password entered by the user by just saying something like: if(enteredPassword == verifiedPassword) SendToRestrictedArea(); else DisplayPasswordUnknownMessage(); It seems to easy to be effective, but I certainly would not mind if that was all that was required. Is a simple check on username/password combo enough? Update: The particular project happens to be a web service, the verification is entirely server side, and it is not open-source. Does the domain change how you would deal with this?

    Read the article

  • I have a password protected USB drive with hidden partition, how to convert to normal USB drive?

    - by deddebme
    I have a generic USB drive which has password protection, and I want to stop this password protection mechanism and to use it as a normal 8GB USB drive. I received this USB drive as a gift in Hong Kong, and there was no instruction menu whatsoever, not even the manufacturer name. When I plug the drive in Windows XP, the removable drive comes up as a read only 5.28MB partition with two files. When I try to add or remove any files or formatting it, it will says the drive is write protected. After launching the Login.exe and typed in the password, a 8GB read/writeable partition will be shown, and I'm free to do anything to it. But once after the drive is unplugged and replugged, the same read only partition will still comes out no matter what I did to the hidden partition. Anyone knows about this kind if USB drive? What did the manufacturer do to hide the partition? Is there a way to "low-level" formatting this drive to convert (or revert) it to a normal drive? Before typing in the password: After typing in the password:

    Read the article

  • How to copy password from Mono-executed KeePass2 to xterm on Linux?

    - by Steve Emmerson
    I use KeePass2 to access username/password information in a Dropbox file. This allows convenient access from multiple devices. I can't seem to copy a password to the clipboard on my Linux 2.6.27.41-170.2.117.fc10.x86_64 system, however, in order to supply the password to a prompt in an xterm(1). I've tried both Ctrl+C/Ctrl+V and highlighting and mouse button 2 clicking. The KeePass2 program on the Linux system is executed by Mono. How can I copy the password to the xterm(1)? [Aside: I think we need a "KeePass" tag.] ADDENDUM: My mouse buttons were misconfigured: button 2 wasn't set to "copy". Sorry for the false alarm.

    Read the article

  • How can I automatically require a password when connecting to a WD MyBookLive?

    - by user-123
    I have created a user which has specific privileges to access the shares on our WD MyBookLive Network drive (ie it requires a password to connect), however after connecting once Windows seems to remember the password (or at least for the rest of the session). How can I make it so it is necessary to require a password every time the user connects to the drive or makes some change on Windows? I am particularly thinking of Cryptolocker and other variants of "ransomeware" which will try and connect to the drive and encrypt it.

    Read the article

  • The field for entering password freeze if no text is enter quickly after i install cinnamon on 12.04

    - by user109162
    Iam a total newbie to Ubuntu . I installed Cinnamon through terminal . The problem is that when i boot up, if i don't enter the password before 1 or 2 minutes the password field will freeze and won't accept any text inputs.The problem was most likely caused by Cinnamon because i guess the problem started after i tried to install some Cinnamon extensions. Please answer in non-technical way as far as possible. I will never go back to Windows whatever be the outcome. Help me stay on to Ubuntu.

    Read the article

  • Why don't smart phones have an auto-forget password feature? [closed]

    - by Kelvin
    Storing passwords to external services (e.g. corporate email servers) on smart phones is very insecure, since phones are more easily stolen. Has any vendor implemented a feature to only cache a password in memory for a limited amount of time? After the time period has elapsed, the app would ask for the password again. EDIT: I should've clarified - I'm aware that many (most?) users are lazy and want to just "set it and forget it". The always-remember feature will probably always be present. I was curious about an option to enable auto-forget for the security-conscious.

    Read the article

  • Can I remove a RAR file's (known) password without recompressing the archive?

    - by Abluescarab
    Long title. Anyway, I haven't been able to find an answer to this question. I know the password to the RAR file, I locked it myself, but now all I want to do is remove the password because it's too much of a pain in the butt to type it in every time. Is there a way to do this in WinRAR or an equivalent program? The only thing I knew to do was to extract it, then create a new RAR without the password. It's not a life-or-death issue, but it would be nice to know. Thanks for your time! EDIT: I just saw a bunch of related questions that appear to ask the same thing. The only solution I saw was using a DOS command to yadda yadda yadda. Here it is: How to remove password protection from compressed files Is there an easier way? Thanks again!

    Read the article

  • Is an 'if password == XXXXXXX' enough for minimum security?

    - by Prof Plum
    If I create a login for an app that has middle to low security risk (in other words, its not a banking app or anything), is it acceptable for me to verify a password entered by the user by just saying something like: if(enteredPassword == verifiedPassword) SendToRestrictedArea(); else DisplayPasswordUnknownMessage(); It seems to easy to be effective, but I certainly would not mind if that was all that was required. Is a simple check on username/password combo enough? Update: The particular project happens to be a web service, the verification is entirely server side, and it is not open-source. Does the domain change how you would deal with this?

    Read the article

  • How to get back to Lock Screen from Password screen in Microsoft Surface?

    - by GaTechThomas
    Similar to question, Can I bring the lock screen back after dismissing it? ('go back a screen' from password entry) How do I go back to the Lock Screen once I've gone to the password screen in Microsoft Surface tablet? This is a different mechanism from using the referenced question in that no physical keyboard is available. Alternately, can the timout on the password screen be shortened?

    Read the article

  • Webmail with option to change password for email account?

    - by arma
    Been testing out different webmail options to use (so far AfterLogic, Horde) And it seems that there is no options to change password for user. It's really bad thing that i have to go to server and manually change passwords for users. Is there any webmail solution that will allow me to change password, that also changes on server (as client). Or is it server setting i must use before? Or it is not possible? EDIT: Note that i have cPanel host.

    Read the article

  • wordpress login encryption

    - by tech
    I am running wordpress with woocommerce and theme_my_login plugins. When a user registers on my site it sends them a confirmation email and then they can click to activate account. Problem is when the user goes to login they get an error of incorrect password. If the user uses the forgot password link and resets the password then they can login without any errors. What might cause this problem? Is the password being encrypted with the wrong method? I went through the registration process and checked the string in the php users table. password in php table after registration: $P$BF/gIt6dFfBBuNx6rP41Qv3i71TUie1 password in php table after change password to same password: $P$BxpByDbNU3vr3sytTOcbzttp1tOodH1 Do Theme my login and either woocommerce or wordpress use different encryption methods?

    Read the article

  • Can you change the type of Active Directory Password Complexity to be different than MS version?

    - by littlegeek
    Here it states that the policy must adhere to Passwords must meet complexity requirements determines whether password complexity is enforced. If this setting is enabled, user passwords meet the following requirements: The password is at least six characters long. The password contains characters from at least three of the following five categories: English uppercase characters (A - Z) English lowercase characters (a - z) Base 10 digits (0 - 9) Non-alphanumeric (For example: !, $, #, or %) Unicode characters The password does not contain three or more characters from the user's account name. They only setting is to ENABLE or DISABLE this feature. I was wondering if there is a way to change this policy? IF so where?

    Read the article

< Previous Page | 53 54 55 56 57 58 59 60 61 62 63 64  | Next Page >