Encryption of password, then validate PW at login
Hi all!
I am new to java.
I am writing a client server application using JDK 1.3 and I want the user to enter in a user name and password and have my app check the password against the users password stored in a central database. I guess I am looking to understand what is the approach or method that is best to use.
For example, from what I've read I can encrypt the password stored in the DB using a byte-array encryption. I think I understand how to do this. But I am not sure how to "validate" the user's PW at login against it. Does this involve a comparison of hash values?
As you can see, I may really not know what i am talking about. Any guidence or direction to resources on this would be greatly appreciated. Any code samples always appreciated as well.
Thanks.
Eric
Hi, Eric
Just wanted to tell you about two things:
1. While hashing is better than storing the PW as clear text there is a vulnerability if you just hash the PW. You leave your PW database open to a "dictionary" attack. This means that an attacker compiles a dictionary of common passwords and stores the passwords together with their hash values (either SHA-1 or MD5 or whatever it is). He then looks in the PW database for a hash value that matches one in his dictionary. If he finds a match he has the PW.
E.g. the U**X developers saw this problem and added a number called "salt" to the passwd fields. Each PW entry has a unique "salt" value, so that the same clear text PW is never mapped to the same hash. You just store this number together with the PW hash and it's used in calculating the hash from the clear text PW by concatening it to the PW.
It is even better to add still another number, called an "iteration count" to the PW database. This means that you call the hash function a certain number of times to generate the hash, not just only once.
For a good discussion of all this see PKCS#5: http://www.rsasecurity.com/rsalabs/pkcs/pkcs-5/index.html
2. Never use client side PW calculations! If one of your users enters a PW into the web form the JavaScript code posted here calculates the MD5 hash and sends it to the server. That's great for an attacker. He just needs to the sniff the network, wait for the user id and the MD5 hash to flow by and then he can use the hash in a "doctored" client which just wants the hash of the PW to be entered instead of the PW itself. So he doesn't even need to know the PW!
It's better to use an TLS/SSL connection to the server and to transfer the PW to the server which creates the hash from the PW. This way an attacker is not able to gain anything from sniffing.
If that is not possible you could use one of the many challenge/response protocols which are quite sophisticated (e.g. RFC 2831). However, they are difficult to implement in a browser environment.
Regards,
Frank
Similar Messages
-
Require encrypted disk password before login
Hi,
I encrypted my machines' disk with diskutil:
diskutil cs encryptVolume ...
Now, when I start up my machine I firt need to enter the disk password, then I can select a user and enter the user password. So far, everything id fine. The problem is that together with the option to enter the disk password I see one of the accounts configured on the machine and have the option to enter that user's password and login with that user right away *without* entering the disk password. How can I disable that (I want to force all users to first enter the disk password)?Back up all data.
If you have more than one user account, you must be logged in as an administrator to carry out these instructions.
Triple-click anywhere in the line below to select it:
sudo fdesetup list | open -f -a TextEdit
Copy the selected text to the Clipboard (command-C).
Launch the Terminal application in any of the following ways:
☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
Paste into the Terminal window (command-V). You'll be prompted for your login password. Nothing will be displayed when you type it. If you don’t have a login password, you’ll need to set one before you can run the command. You may get a one-time warning not to screw up. Confirm. You don't need to post the warning. If you see a message that your username "is not in the sudoers file," then you're not logged in as an administrator.
A TextEdit window will open. Post the contents of that window, if any — the text, please, not a screenshot. The title of the window doesn't matter, and you don't need to post that.
If any personal information appears in the output, anonymize before posting, but don’t remove the context. -
how come i was upgraded iso6 on my iPhone, but now I couldn't link up to iCloud, it keeps asking my icloud password then failed login. But my iPad upgraded it works!! how to solve my iPhone using iCloud?
If you still have access to your old email address, go to https//appleid.apple.com, click Manage my Apple ID and sign in with your iCloud ID. Tap edit next to the primary email account, tap Edit, change it back to your old email account and verify it. Then edit the name of the account to change it back to your old email address. You can now use your current password to turn off Find My iPhone on your device. Then go to Settings>iCloud, tap Delete Account and choose Delete from My iDevice when prompted (your iCloud data will still be in iCloud). Next, go back to https//appleid.apple.com and change your primary email address and iCloud ID name back to the way it was. You can now go to Settings>iCloud and sign in with your correct iCloud ID and password.
If you don't have access to your old email address, you will have to contact Apple to have them reset the password so you can disable Find My iPhone and sign into your iCloud account. You can either go to https://expresslane.apple.com, select "More Products and Services", then "Apple ID", then on the next page select "Other Apple ID Topics", then "Lost or forgotten Apple ID password" and click "Continue"; or you can contact Apple Support (http://www.apple.com/support/icloud/contact/). -
Hi...
Another thread with that same, old subject... right? Perhaps yes!! But I am not able to move further without help.
I am developing an application where user needs to login by entering the password. My requirement is to encrypt the password first (while registering the user) and store it in a database (using MS Access 2007). Later, while logging in, I need to decrypt that stored password and validate the entered password by user.
As I am quite new to this, not able to understand how to proceed. Checked in this forum, even in net - got many stuffs as well - but still I am not able to develop this.
Any suggestion, help would be appreciated.
I have few simple logics, that could be used: 1. replace each characters with the next (or next to next) characters, 2. insert some junk characters in between each characters and creating a string... etc
But I am looking for some serious encryption/decryption techniques.
Thanks in Advance...>
Oh yeah.. what an 'Aloo Paratha' with no salt. But not able to understand how to add this 'Salt' to my paratha.. :(
TiA...Suppose I had read access to the password table, where I also had an account:
| user_name | digested_password | ...
+-----------+-------------------+--
| bdlh | efagukfuilfehilef |
| smith | fiopwefiopf890fnk |
...I can't guess smith's password from his digest, but what if I notice:
| user_name | digested_password | ...
+-----------+-------------------+--
| bdlh | efagukfuilfehilef |
| smith | fiopwefiopf890fnk |
| kumar | efagukfuilfehilef |Hey! kumar and I happen to have the same digest! We have the same password! (Or as good as.) I can log on as kumar and have jolly time at his expense.
Now change things with a pinch of salt: a randomly generated unique string. One's digested_password is actually the digest of password+salt:
| user_name | digested_password | salt |
+-----------+-------------------+----------+
| bdlh | efagukfuilfehilef | efaghkku |
| smith | fiopwefiopf890fnk | h23bh9m0 |
| kumar | vjlvsr8u0w780w4bj | 789r2bh7 |Now even if kumar and I happen to have the same password, our salts make the digests different.
As for "how to digest", use MessageDigest: [http://java.sun.com/javase/6/docs/api/java/security/MessageDigest.html] -
I assumed this would help my problem with not being able to open apps like Preview or TextEdit since I installed Mountain Lion. Instead, first I'm prompted to enter a password, then once I do that, I get an error box telling me the Library needs repairing. So I click on Repair, and once again I'm prompted for a password, which I enter, then the same error box opens, and so it goes. Can anyone help me with this problem? I'd greatly appreciate it.
ThorBack up all data. Don't continue unless you're sure you can restore from a backup, even if you're unable to log in.
This procedure will unlock all your user files (not system files) and reset their ownership and access-control lists to the default. If you've set special values for those attributes on any of your files, they will be reverted. In that case, either stop here, or be prepared to recreate the settings if necessary. Do so only after verifying that those settings didn't cause the problem. If none of this is meaningful to you, you don't need to worry about it.
Step 1
If you have more than one user account, and the one in question is not an administrator account, then temporarily promote it to administrator status in the Users & Groups preference pane. To do that, unlock the preference pane using the credentials of an administrator, check the box marked Allow user to administer this computer, then reboot. You can demote the problem account back to standard status when this step has been completed.
Triple-click the following line to select it. Copy the selected text to the Clipboard (command-C):
{ sudo chflags -R nouchg,nouappnd ~ $TMPDIR.. ; sudo chown -Rh $UID:staff ~ $_ ; sudo chmod -R u+rwX ~ $_ ; chmod -R -N ~ $_ ; } 2> /dev/null
Paste into the Terminal window (command-V). You'll be prompted for your login password, which won't be displayed when you type it. You may get a one-time warning to be careful. If you don’t have a login password, you’ll need to set one before you can run the command. If you see a message that your username "is not in the sudoers file," then you're not logged in as an administrator.
The command will take a noticeable amount of time to run. Wait for a new line ending in a dollar sign (“$”) to appear, then quit Terminal.
Step 2 (optional)
Step 1 should give you usable permissions in your home folder. This step will restore special attributes set by OS X on some user folders to protect them from unintended deletion or renaming. You can skip this step if you don't consider that protection to be necessary, and if everything is working as expected after step 1.
Boot into Recovery by holding down the key combination command-R at startup. Release the keys when you see a gray screen with a spinning dial.
When the OS X Utilities screen appears, select
Utilities ▹ Terminal
from the menu bar. A Terminal window will open.
In the Terminal window, type this:
res
Press the tab key. The partial command you typed will automatically be completed to this:
resetpassword
Press return. A Reset Password window will open. You’re not going to reset a password.
Select your boot volume ("Macintosh HD," unless you gave it a different name) if not already selected.
Select your username from the menu labeled Select the user account if not already selected.
Under Reset Home Directory Permissions and ACLs, click the Reset button.
Select
▹ Restart
from the menu bar. -
Hi
I'm new in Java and I need to create a function to encrypt / decrypt passwords using the Blowfish algorithm. I know how to create a key, but I don't know how to recover it to decrypt the password.
Another question, Is it possible to use public/private keys in this case???.
Can you give some links or examples please???
Regards
J.C.This is typically done either one of two ways:
1) PBE based encryption. This uses a password or pass phrase to derive
a key to use with a symmetric algorithm.
2) Asymmetric using something like RSA. Typically RSA is used to wrap
the actual symmetric key used to do the encryption but for very short
plaintext it can be used directly on the plaintext. Passwords are a
good example of short plaintext.
Obviously symmetric encryption is a great deal faster than asymmetric
encryption. So if your plaintext was large you would want to use
symmetric. Also Asymmetric encryption is length dependant. AKA if your
public key's modulus is 1024 bits then you could encrypt any plaintext
that was 121 bytes or shorter.
PBE takes a salt (a random byte array) and an iteration count and
hashes a passphrase with the salt iteration number of times to generate
a key that can be reproduced over and over again and used with a
symmetric algorithm. The issue here is that your salt/ic either need
to be hard coded and reused or the values for any single encryption
need to be saved along with the ciphertext. Using the same ic/salt for
a large number of plaintext to ciphertext operations can lead to a
weakening of the pass phrase (aka the key) and aids a cryptoanalyst in
breaking the code. Although it is still difficult it becomes easier
with each successive encryption.
Its upto you which route you take but you should note that private keys
used in asymmetric encryption use PBE to keep them private anyway so in
a sense if you use asymmetric encryption you are really using both
asymmetric encryption and PBE... -
Preview - PDF - Encrypt - Add password
I am trying to be a loyal Mac user and rely on Preview for management of my secure PDF files.
(I have used Adobe Acrobat Professional -AAP- for several years; I am trying to avoid installing it on my clean SL installation.)
1.) How do I use Preview to open a PDF file created, encrypted, and password protected in AAP? (I get an error: The file “Secure.pdf” could not be opened. It may be damaged or use a file format that Preview doesn’t recognize."
2.) Can someone give me simple step by step instructions to add Automator functions to Preview to allow me to encrypt and password protect individual files on a file by file basis?
All of this is very simple in AAP. Seems unnecessarily difficult in SL...
Help?Well, Dr. Midnight,
There IS an answer. The "Password Protect PDF" file is a function in Automator that comes up as a Service in Preview.
For me the problem is that Automator is not very intuitive and I am too old and too lazy to learn a new programming language just to replace/repair functionality that I had with Acrobat Professional in Leopard that got broken in Snow Leopard.
Ok, - in truth - not broken, but moved and changed and made less easy to use. Preview becomes the default PDF handler in Snow Leopard. I though - ok - if Preview will do what Acrobat Professional used to do for me, I'll be a good little loyal Apple user and move from Acrobat Professional to Preview (and stop paying for Acrobat upgrades).
Then I figured out it is a PITA to learn Automator and I learned that no one on this forum seems to know (or be willing to share) simple steps to enable one Automator Service.
So I reinstalled Acrobat since I already own two licenses and since it does what I want simply and intuitively.
By the way, thanks for checking in. Nice to know I am not all alone out here .... -
Is there a way to de-encrypt the password field in dba_users
Is there a way to de-encrypt the password field in dba_users
Can you be a little more specific. I've forgot my old password. Now, without the old password will it allow me to create a new password? I know that whenever i altered any user generally it won't asks for the old password. Then how oracle knows that who is authentic user and who is not? Can you explain it.
Regards.
Satyaki De. -
Lately I have been getting a rectangular screen titled Login Setting, with my Username and Password and asking me to Login. This screen shows up on opening the computer and has never been seen before the last month or so. It has one box titled Login Credentials with a username and password field and a second box titled Login Status at the bottom where it says "Profile not found" in red. I've never seen this before and ignoring it does not effect any operations. Is this legitimate or some kind of identity fishing?
Hello,
Have you done the recent Security updates?
Is this from Sleep or on bootup?
Timing is about right for the FlashBack attack.
Disable Java in your Browser settings, not JavaScript.
http://support.apple.com/kb/HT5241?viewlocale=en_US
http://support.google.com/chrome/bin/answer.py?hl=en-GB&answer=142064
http://support.mozilla.org/en-US/kb/How%20to%20turn%20off%20Java%20applets
Flashback - Detect and remove the uprising Mac OS X Trojan...
http://www.mac-and-i.net/2012/04/flashback-detect-and-remove-uprising.html
In order to avoid detection, the installer will first look for the presence of some antivirus tools and other utilities that might be present on a power user's system, which according to F-Secure include the following:
/Library/Little Snitch
/Developer/Applications/Xcode.app/Contents/MacOS/Xcode
/Applications/VirusBarrier X6.app
/Applications/iAntiVirus/iAntiVirus.app
/Applications/avast!.app
/Applications/ClamXav.app
/Applications/HTTPScoop.app
/Applications/Packet Peeper.app
If these tools are found, then the malware deletes itself in an attempt to prevent detection by those who have the means and capability to do so. Many malware programs use this behavior, as was seen in others such as the Tsunami malware bot.
http://reviews.cnet.com/8301-13727_7-57410096-263/how-to-remove-the-flashback-ma lware-from-os-x/
http://x704.net/bbs/viewtopic.php?f=8&t=5844&p=70660#p70660
The most current flashback removal instructions are F-Secure's Trojan-Downloader:OSX/Flashback.K.
https://www.securelist.com/en/blog/208193454/Flashfake_Removal_Tool_and_online_c hecking_site
More bad news...
https://www.securelist.com/en/blog/208193467/SabPub_Mac_OS_X_Backdoor_Java_Explo its_Targeted_Attacks_and_Possible_APT_link -
SOS!!! can not type username/password with heart symbol () to login with keyboard.
My child accidentally added heart symbol (♥) in username, and now I can not login into my macbook air as I can not type the ♥ symbol with keyboard. apple tech service said no such experience before.
If the user account is associated with an Apple ID, and you know the Apple ID password, then maybe the Apple ID can be used to reset your user account password.
Otherwise*, boot into Recovery mode. When the OS X Utilities screen appears, select
Utilities ▹ Terminal
from the menu bar. In the window that opens, type this:
res
Press the tab key. The partial command you typed will automatically be completed to this:
resetpassword
Press return. A Reset Password window opens. Close the Terminal window to get it out of the way.
Select your boot volume ("Macintosh HD," unless you gave it a different name) if not already selected.
Select your username from the menu labeled Select the user account if not already selected.
Follow the prompts to reset the password. It's safest to choose a password that includes only the characters a-z, A-Z, and 0-9.
Select
▹ Restart
from the menu bar.
You should now be able to log in with the new password, but your Keychain will be reset (empty.) If you've forgotten the Keychain password (which is ordinarily the same as your login password), there's no way to recover it.
*Note: If you've activated FileVault, this procedure doesn't apply. Follow instead these instructions. -
WRT54GS Ver.1 - password(s) not working to login to router
When I try to login to my router, after 3 tries, I get 401 unauthorized. How do I reset my password so that I can login? I don't know why it won't take the "default" one, nor the other 2 that I "normally" use. Can anyone help me, please?
thanks,If you had to set up the router the first time, then yes. After the reset, you will need to reconfigure the router.
The box said windows xp or better... So I installed Linux! -
What to do , i forgot my encrypt backup password
what to do , i forgot my encrypt backup password......? pls help
i want to change it or re set it or de activate it ...?Warning: If you encrypt an iPhone backup in iTunes and then forget your password, you will not be able to restore from backup and your data will be unrecoverable. If you forget the password, you can continue to back up and use the device, however you will not be able to restore the encrypted backup to any device without the password. You do not need to enter the password for your backup each time you back up or sync.
If you cannot remember the password and want to start again, you must perform a full software restore and when iTunes prompts you to select the backup from which to restore, choose set up as a new device.
The above comes from this article:
iTunes: About iOS backups -
IOS7 shows full passwords for all safari websites. How can I encrypt stored passwords?
If you go into settings
safari
passwords and auotfill
saved passwords
then click any website
after typing your lock code you can see your full ID and Password for all websites visited.
I think this is a serious security issue. All someone needs is your code and they can have access to all your passwords.
Shouldnt the passwords be encrypted or just show dots?This is not possible, the passcode is the "only" protection towards keeping this data safe. All browsers handles the keychain in the exact same way.
Chrome
http://www.engadget.com/2013/08/07/chrome-saved-passwords/
Firefox
https://support.mozilla.org/en-US/kb/password-manager-remember-delete-change-pas swords
Internet Explorer
http://answers.microsoft.com/en-us/ie/forum/ie9-windows_7/how-do-i-retrieve-save d-passwords-in-ie9/49e36195-5096-489c-a85e-b539fc9d6513?page=1 -
Hi, I have an iCloud account with a different iCloud username and password then my Apple ID. I forgot my iCloud password and the email I used is no longer in use. How do I change my iCloud Username and password to match my Apple ID one? Thanks in advance
Hi Cplantin!
Here is an article for you that will help you with this question:
iOS 7: If you're asked for the password to your previous Apple ID when signing out of iCloud
http://support.apple.com/kb/TS5223
Take care, and thanks for visiting the Apple Support Communities.
-Braden -
i have an iphone4. every time i turn it on i get an old I.D. and a message saying, "Apple password " then my email address and asks for the password. I have a different account that itunes on my computer recognizes. How do i remove this from my phone?
to remove that account.
go to settings > iTunes & App Stores > click on that apple ID then sign out.
Maybe you are looking for
-
Can I use one itunes account for multiple users and multiple devices
Can I use one itunes account for multiple users and multiple devices?
-
MS Commerce Server integration with SAP CRM (incl. Middleware question)
Hi, We're investigating on how to possibly connect a MS eCom solution (MS Commerce Server) to a SAP CRM backend. With the correct middleware and some Bapi's this would probably be do-able solution I guess, but does anyone have info on standard setups
-
Hello to all, So i'm creating this page and i added the spry horizontal menu bar and i added , ul.MenuBarHorizontal { width: 32.2em; margin: auto; And the menu bar centers perfectly in Firefox but still doesnt center when i preview it in IE.. any sug
-
Half the time my MacBook Air won't wake up when I open it. Anyone else have this problem?
Just a black screen. I can restart after a few long pushes of the power button, and then it comes back and behaves normally. Is Apple working on this bug?
-
Material master - accounting view 1
Hi experts, I forgot to mention the standard price in accounting 1 view before saving a newly created material and now the field appears greyed out when I try to enter the value in MM02. Is it possible to fix this issue? Thank you very much for your