Skip to main content
Information Security

Questions tagged [passwords]

Ask Question

Specific to the security of passwords: hashing, entropy, cracking, resets, lockouts, etc.

4,080 questions
Newest Active Bountied Unanswered
Filter by
Sorted by
Tagged with
4 votes
2 answers
671 views

Are truncated SHA-256 hashes safe enough when collisions are not a risk?

Apologies if this is a duplicate, I’m having trouble even to find the right words for it. As far as I am aware, password authentication usually works in a way that the server stores a hash of the ...
cdauth's user avatar
cdauth
  • 153
2 votes
0 answers
50 views

Why can't a Cognito user in the FORCE_CHANGE_PASSWORD state go through the forgot password flow?

If an AWS Cognito User Pool user is in the FORCE_CHANGE_PASSWORD state, they won't be able to go through the "forgot your password" flow to get a password-reset confirmation code. Why not? ...
fblundun's user avatar
fblundun
  • 121
11 votes
2 answers
5k views

Why aren't passwords also hashed on client side on desktop applications?

My understanding of the standard best practice way to handle passwords is: Establish a secure encrypted connection between client and server. Client sends password in plaintext over this encrypted ...
indjev99's user avatar
indjev99
  • 113
3 votes
1 answer
195 views

SHA-256: thoughts and experiment

Take the following sequence, for example: hello! = string a SHA-256 of a: ce06092fb948d9ffac7d1a376e404b26b7575bcc11ee05a4615fef4fec3a308b = b SHA-256 of b: ...
zeeshan saeed RIGHT TRUTH REAL's user avatar
zeeshan saeed RIGHT TRUTH REAL
  • 33
3 votes
1 answer
390 views

What does the parallelism parameter in memory-hard password hashing algorithms adjust?

When I change the parallelism parameter on Scrypt or on Argon2, which processing unit's threads do I influence? The CPU's threads? The GPU's threads? How does this all work?
The Death Sidius's user avatar
The Death Sidius
  • 43
14 votes
3 answers
4k views

Security implications to removing delay on empty passwords?

Login prompts on many systems (like Ubuntu) have a delay if an incorrect password is used. I understand this is to inhibit brute force attacks. Would there be any security implications to having no ...
joel's user avatar
joel
  • 241
8 votes
2 answers
4k views

Is password-based encryption better than traditional password hashing?

I have a theoretical question regarding the comparison of password-based encryption and password hashing. Not sure if Stackoverflow or crypto is the best place, but this is more on the side of ...
Landon Crabtree's user avatar
Landon Crabtree
  • 83
0 votes
1 answer
84 views

How many passphrases should I use? [closed]

I have a password manager, an email, two computers with full disk encryption, their corresponding encrypted backup (two in total) on an external disk and user. How many passphrases should I use? I was ...
megatron3472's user avatar
megatron3472
  • 3
8 votes
3 answers
3k views

Password change frequency for technical accounts

It has become clear that asking users to regularly change their passwords does not improve security, and has thus been forbidden e.g. by NIST and BSI. Does this advice also apply for technical ...
serv-inc's user avatar
serv-inc
  • 677
1 vote
2 answers
114 views

How can you check password for similarities if you don't know the password as password hashing is one-way? For example, you forget your password

For example, you forget your password. How can you change the password with forget password? For example, if you don't have an email associated with that account yet. I was thinking of asking the user ...
mxhdiqaim's user avatar
mxhdiqaim
  • 11
5 votes
1 answer
1k views

Doesn't saving an SSH passphrase (as suggested by GitHub) negate the security benefits of using a passphrase?

From GitHub Docs: With SSH keys, if someone gains access to your computer, the attacker can gain access to every system that uses that key. To add an extra layer of security, you can add a passphrase ...
Red Dwarf's user avatar
Red Dwarf
  • 153
0 votes
1 answer
163 views

Most hacker-proof login page

I'm trying to think of a way to create the most hacker-proof login system that I can only get into. Currently my login page only consists of a password box and a button to submit data. Its run on an ...
mike_s's user avatar
mike_s
  • 11
21 votes
7 answers
8k views

Is it viable to defend against brute force attacks by rejecting correct passwords?

(found on reddit) [translation: the website is programmed to reject the login if it is the correct password and if it is the first login attempt] Assume that the scheme is to reject the first correct ...
gaazkam's user avatar
gaazkam
  • 6,841
0 votes
1 answer
112 views

Reasonable model for Storing credentials for use in scripts

I was reading question 180243 which states that using a password vault is the best option for credential storage. However this is rather cumbersome to setup. For a lower security use case (so no PII ...
Raven King's user avatar
Raven King
  • 3
11 votes
4 answers
7k views

Why does one have to hit enter after typing one's Windows password to log in, while it's not to hit enter after typing one's PIN?

I've noticed that on Windows 10, one has to hit enter after typing one's Windows password to log in, while it's not to hit enter after typing one's PIN. Is there a security reason to it? Typing one's ...
Franck Dernoncourt's user avatar
Franck Dernoncourt
  • 781

15 30 50 per page
1
2 3 4 5
272