Secure a Login Password

Some security question, sorry because i am new to security and jsf so please correct me.
1. I am going to design a login page using JSF that allow user to enter username and password and submit.Is it secure enough if using Message Digest to hash the password after the user click submit and compared to database (assume that i stored the hashsed password in databse) ? Or any other sugestion to secure the login page?
2. If i choose to using SSL to secure the username and password do I still need to encrypt or hash the password when user click submit?
3. If the web site provide the user a 'Remember Me' function and store the value to cookies. The cookies side is it secure ? Do i need to encrypt the cookies?
4. I read some forum, somebody using HTTPS, can someone explainn me how Https secure then http?

Is it secure enough if using Message Digest to hash the password after the user click submit and compared to databaseYes. That's what is normally done.
2. If i choose to using SSL to secure the username and password do I still need to encrypt or hash the password when user click submit? You should never send the password anywhere, just its digest. This is standard security practice.
3. If the web site provide the user a 'Remember Me' function and store the value to cookies. The cookies side is it secure ? Do i need to encrypt the cookies? Depends on what's in them, doesn't it?
4. I read some forum, somebody using HTTPS, can someone explain me how Https secure then http?Because it runs over SSL, where HTTP just runs over plaintext TCP.

Similar Messages

  • New Imac. I get rid off login password from security and account and restart. Now it asks for username and password and it's not acepting anything. Any ideas?

    New Imac. I get rid off login password from security and accounts and restart. Now it asks for username and password and it's not acepting anything. Any ideas?

    First, reset your password as follows.
    Boot into Recovery by holding down the key combination command-R at startup. Release the keys when you see a gray screen with a spinning dial.
    When the OS X Utilities screen appears, select Utilities ▹ Terminal from the menu bar.
    In the Terminal window, type this:
    resetpassword
    That's one word with no spaces. Then press return. A Reset Password window opens.
    Select your boot volume if not already selected.
    Select your username from the menu labeled Select the user account if not already selected.
    Follow the prompts to reset the password. It's safest to choose a password that includes only the characters a-z, A-Z, and 0-9.
    Select  ▹ Restart from the menu bar.
    You should now be able to log in with the new password, but you won't be able to unlock the Keychain. If you've forgotten the Keychain password (which is ordinarily the same as your login password), there's no way to recover it. You’ll need to reset your keychain in the preferences of the Keychain Access application.
    If you're being prompted to authenticate when making changes to files inside your home folder, continue as follows.
    Back up all data now.
    This procedure will unlock all your user files (not system files) and reset their ownership and access-control lists to the default. If you've set special values for those attributes on any of your files, they will be reverted. In that case, either stop here, or be prepared to recreate the settings if necessary. If none of this is meaningful to you, you don't need to worry about it.
    Step 1
    Launch the Terminal application in any of the following ways:
    ☞ Enter the first few letters of its name into a Spotlight search. Select it in the results (it should be at the top.)
    ☞ In the Finder, select Go ▹ Utilities from the menu bar, or press the key combination shift-command-U. The application is in the folder that opens.
    ☞ Open LaunchPad. Click Utilities, then Terminal in the icon grid.
    Drag or copy — do not type — the following line into the Terminal window, then press return:
    sudo chflags -R nouchg,nouappnd ~ $TMPDIR.. ; sudo chown -R $UID:20 ~ $_ ; chmod -R -N ~ $_ 2> /dev/null
    Be sure to select the whole line by triple-clicking anywhere in it. You'll be prompted for your login password, which won't be displayed when you type it. You may get a one-time warning not to screw up. You don't need to post the warning. If you don’t have a login password, you’ll need to set one before you can run the command.
    The command will take a noticeable amount of time to run. Wait for a new line ending in a dollar sign (“$”) to appear, then quit Terminal.
    Step 2
    Boot into Recovery by holding down the key combination command-R at startup. Release the keys when you see a gray screen with a spinning dial.
    When the OS X Utilities screen appears, select Utilities ▹ Terminal from the menu bar. A text window opens.
    In the Terminal window, type this:
    resetpassword
    That's one word with no spaces. Then press return. A Reset Password window opens. You’re not going to reset a password.
    Select your boot volume if not already selected.
    Select your username from the menu labeled Select the user account if not already selected.
    Under Reset Home Directory Permissions and ACLs, click the Reset button.
    Select  ▹ Restart from the menu bar.

  • JAAS Exception : javax.security.auth.login.FailedLoginException: Password

    Hi All,
    I am using JBOSS 4.0.5 GA Application Server. Eclipse3.0 IDE. Using JAAS 1.0 for authentication in login module.
    While it is running under command prompt it was running successfully as below.......................
    F:\Sample_Jaas1>java myapp.SomeStandAloneClient
    Logging in user: testUser
    Inside initialize method of SampleLoginModule
    Inside login method of SampleLoginModule
    Before call to callback handler
    After call to call back handler
    [SampleLoginModule] user entered username: testUser
    [SampleLoginModule] user entered password: testPassword
    [SampleLoginModule] authentication succeeded
    [SampleLoginModule] added SamplePrincipal to Subject
    Successfully logged in user: testUser
    User logged in successfull
    //Login.java
    final String authFile = "Some.config";
    System.out.println("Before setting system properties");
    System.setProperty("java.security.auth.login.config", authFile);
    System.out.println("After setting system properties");
    MyCallbackHandler handler = new MyCallbackHandler(username,password);
    try {
    LoginContext lc = new LoginContext("someXYZLogin",handler);
    System.out.println("Instantiate Login Context");
    lc.login();
    //*****when i am calling lc.login() method it is throwing the exceptions***
    System.out.println("After calling login method");
    System.out.println("Successfully logged in user: " + username);
    } catch (LoginException le) {
    System.out.println("Login failed");
    le.printStackTrace();
    //Some.config ---Config file
    someXYZLogin{
    dao.SampleLoginModule required debug=true;
    //SampleLoginModule.java
    public boolean login() throws LoginException {
    System.out.println("Inside login method of SampleLoginModule");
    if (callbackHandler == null)
    throw new LoginException("Error: no CallbackHandler available " +
    "to garner authentication information from the user");
         Callback[] callbacks = new Callback[2];
         callbacks[0] = new NameCallback("SampleModule username: ");
         callbacks[1] = new PasswordCallback("SampleModule password: ", false);
         try {
         System.out.println("Before call to callback handler");
         callbackHandler.handle(callbacks);
         username = ((NameCallback)callbacks[0]).getName();
         char[] tmpPassword = ((PasswordCallback)callbacks[1]).getPassword();
         System.out.println("After call to call back handler");
         if (tmpPassword == null) {
              // treat a NULL password as an empty password
              tmpPassword = new char[0];
         password = new char[tmpPassword.length];
         System.arraycopy(tmpPassword, 0,
                   password, 0, tmpPassword.length);
         ((PasswordCallback)callbacks[1]).clearPassword();
         } catch (java.io.IOException ioe) {
         throw new LoginException(ioe.toString());
         } catch (UnsupportedCallbackException uce) {
         throw new LoginException("Error: " + uce.getCallback().toString() +
              " not available to garner authentication information " +
              "from the user");
    When it was running with JBOSS Server it is throwing the following exception:
    09:45:21,484 ERROR [STDERR] javax.security.auth.login.FailedLoginException: Pass
    word Incorrect/Password Required
    09:45:21,484 ERROR [STDERR] at org.jboss.security.auth.spi.UsernamePasswordL
    oginModule.login(UsernamePasswordLoginModule.java:213)
    09:45:21,500 ERROR [STDERR] at org.jboss.security.auth.spi.UsersRolesLoginMo
    dule.login(UsersRolesLoginModule.java:152)
    09:45:21,500 ERROR [STDERR] at sun.reflect.NativeMethodAccessorImpl.invoke0(
    Native Method)
    09:45:21,500 ERROR [STDERR] at sun.reflect.NativeMethodAccessorImpl.invoke(U
    nknown Source)
    09:45:21,500 ERROR [STDERR] at sun.reflect.DelegatingMethodAccessorImpl.invo
    ke(Unknown Source)
    09:45:21,500 ERROR [STDERR] at java.lang.reflect.Method.invoke(Unknown Sourc
    e)
    09:45:21,500 ERROR [STDERR] at javax.security.auth.login.LoginContext.invoke
    (Unknown Source)
    09:45:21,500 ERROR [STDERR] at javax.security.auth.login.LoginContext.access
    $000(Unknown Source)
    09:45:21,500 ERROR [STDERR] at javax.security.auth.login.LoginContext$4.run(
    Unknown Source)
    09:45:21,500 ERROR [STDERR] at java.security.AccessController.doPrivileged(N
    ative Method)
    09:45:21,500 ERROR [STDERR] at javax.security.auth.login.LoginContext.invoke
    Module(Unknown Source)
    09:45:21,500 ERROR [STDERR] at javax.security.auth.login.LoginContext.login(
    Unknown Source)
    Please tell me any body what might be the problem.....
    Thanks in Advance

    Franky Ronald D'Souza wrote:
    I am trying to connect to SQL Server 2000 from a JSP (Weblogic 7.0) using a
    connection pool. (Without datasource etc). I am getting the above mentioned
    exception.
    If i connect through sun.jdbc.odbc it works fine. I dont know what i am
    doing wrong. Can anyone help out with this problem.Whose SQLServer drier are you using? Can you connect to the DBMS using the
    driver in a simple standalone program?
    Joe
    >
    >
    thnx in advance.
    Franky

  • Keychain Security Password vs. Keychain Login Password

    Hi,
    Does anyone happen to know anything about the keychain SECURITY password? I know what my keychain LOGIN password is and have been able to change it. I don't remember setting up a keychain security password and I haven't been able to find information on how to change it or access it or even find out more about it.
    Thanks,
    Securitied Out

    However under security, when I go in I can unlock it with my login password which is the same as my keychain login password.
    I'm a bit confused. I see no security menu item within Keychain Access. Exactly what are you referencing? Additionally, under the Security prefPane in System Preferences, there are only two items requiring a password under the General tab.
    But to access the network access information I have in it it won't allow me in when I use my login password.
    Where are you trying to access this information? There's nothing in Keychain Access, that I can see, that deals with network access.
    In the listing after date modified under the keychain heading what I see is System not login like Login file above. So I'm trying to find out what that is all about and just have no clue and am a bit frustrated.
    Once, again, I have no idea exactly what you're trying to do or where you're doing it. You need to be more explicit and provide the steps and utilities/applications you're using.

  • How do I reset my forgotten Mac Book Pro login password ?

    The "help" on my MacBook Pro insists I can change my forgotten login password by using my apple Id and password, by simply hitting the arrow beside the login password box. It appears after a failed attempt to enter your password at Login, however the drop down menu does not appear. The whole box shakes and that is all. In other places such as security and privacy all attempts are blocked , because I am asked to enter my (forgotten) password.
    Please advise, kind apple lovers.
    x

    If the user account is associated with an Apple ID, and you know that account password, the Apple ID can be used to reset your user account password.
    Otherwise, boot into Recovery by holding down the key combination command-R at startup. Release the keys when you see a gray screen with a spinning dial.
    When the OS X Utilities screen appears, select Utilities ▹ Terminal from the menu bar.
    In the Terminal window, type this:
    resetpassword
    That's one word with no spaces. Then press return. A Reset Password window opens.
    Select your boot volume if not already selected.
    Select your username from the menu labeled Select the user account if not already selected.
    Follow the prompts to reset the password. It's safest to choose a password that includes only the characters a-z, A-Z, and 0-9.
    Select  ▹ Restart from the menu bar.
    You should now be able to log in with the new password, but you won't be able to unlock the Keychain. If you've forgotten the Keychain password (which is ordinarily the same as your login password), there's no way to recover it. You’ll need to reset your keychain in the preferences of the Keychain Access application.

  • Create a login page with NI Security Programmatic Login.vi

    Hi everyone,
    I'm trying to create a login page that inputs username and password of users, then authorize user information with the Domain Account Manager to recognize user identification.
    I google and see the NI Security Programmatic Login.vi can allow me to create a login page and it works. However, I got a problem is to redirect to other pages after authorizing. 
    NI Security Programmatic Login.vi only outputs some string to show the status of the authentication, it doesnt output boolean like true or fall.
    Does anyone has a solution to help me?
    Thank you.
    This is my screen shot:

    Thank you for suggesting me. I've done the checking task but I don't know how to call a subVi.
    As you can see in the images I post below, I have a login page with its diagram, and the main page that I want to show after logging in conrrectly.
    So should the main page is the subVi or the login page? And can you tell me how to show the main page after logging correctly?
    I also don't know how to refresh the page if logging information is incorrect. Do you have any solution?
    Thank you so much.

  • Printing from InDesign asking for computer login password

    Hi. Just got new MacPro, CS4 Design Premium. Every time printing from InDesign asking for computer login password. Never happened with CS3. Is there any way to avoid job holding in printer's dialog box, waiting for authentification?  No problems printing from Acrobat, Photoshop or Entourage etc. Checked computer preferences, nothing shows permission/security restrictions are applied. What could cause holding print jobs from InDesign?
    Here's what it says in Status field: On Hold (Authentification required)...so I have to click “Resume” every time, enter password and only then it prints.
    Printer: HP5100 laserJet. HP did not associated this issue with printer or drivers. Please help. Thanks!

    Thanks for your help, Marvin!
    Sharing has been set up, PW is in keychain. Still asking for "authenification"..
    After talking to Adobe tech support, here's the answer:
    "Issue:  When attempting to print, customer is continually asked to authenticate.
    Resolution:  Printer is possibly too old to understand the print data InDesign is outputting. Try updating drivers or using a newer printer".
    I guess I will request new printed from management, mine is 2003...

  • OC4J 10.1.3.1 Need to find oracle.security.jazn.login.module.db.util pckg

    Hi,
    I managed to configure Oracle's DBTableOraDataSourceLoginModule together with JavaSSO to access two tables which reside on a 9i database. One is the user's table and the other a roles table. The only problem is that the user's passwords should be encripted in this table.
    I followed the instructions in the Oracle Containers for J2EE Security Guide page 9-10 - Implementing DBLoginModuleEncodingInterface for Password Encryption, and specified in the pw_encoding_class parameter
    the DBLoginModuleSHA1Encoder class provided in the oracle.security.jazn.login.module.db.util package.
    I also wrote a small program to do the encryption in the table, using a getKeyDigestString method found in DBLoginModuleSHA1Encoder class of a sample dblogin module downloaded from a link in Lucas Jellema's article on how to secure an application developed with JDeveloper and deployed in OC4J. I used this class because I could not find the one mentioned in the Oracle documentation.
    Now the DBTableOraDataSourceLoginModule rejects the login with an invalid password message. It seems the encoding is calculated differently in the two classes. I tried to use the sample dblogin module in the javasso specification, and got a - no class found - message. I tried to locate the oracle.security.jazn.login.module.db.util package to use in the password encoding program, but I couldn't find it anywhere in either OC4J nor JDeveloper directories.
    Can you tell me where to find the oracle.security.jazn.login.module.db.util package ?
    Thanks for help.
    Gustavo

    Hi
    As I am also tried the same and found the encryption module working fine for me.
    This I could do only on JDeveloper 10g whereas while attempted on the same on JDeveloper 11g, I got lots of problems.
    Will you please help out in this regard, if you had already able to acheive the same on JDeveloper 11g TP3, please let me know the steps or any relevant URL which I can refer.
    Thanks in advance
    Kind Rgds
    Krishnamurthy. R

  • Do I have to use a login password?

    Do I have to use a login password?  If not, how can I change the setting so I'm not required to enter it each time I log on?
    Thanks!

    Open the Users & Groups and Security panes of System Preferences and ensure that automatic login isn't disabled.
    (66182)

  • Weblogic.security.auth.login.UsernamePasswordLoginModule only accepts uid=weblogic & pw=weblogic (Why?)

    I am playing (learning) with weblogic.security.auth.login.UsernamePasswordLoginModule
    as a LoginModule using JAAS based authentication. Surprisingly, the only userid
    and password combination acceptable is uid=weblogic, pw=weblogic combination.
    I went through and looked at the example code under
    http://e-docs.bea.com/wls/docs70/security/cli_apps.html#1042212. I found that
    the UsernamePasswordLoginModule.login calls into
    if (url != null) {     
    Environment env = new Environment();
    env.setProviderUrl(url);
    env.setSecurityPrincipal(username);
    env.setSecurityCredentials(password);
    try {
    Authenticate.authenticate(env, subject);
    Seems like UsernamePasswordLoginModule only is a router, as it instantiates an
    instance of Environemt using the userid and password and passes this Environemtn
    instance (env) to Authenticate.authenticate along with the empty Subject instance.
    I read about that the Subject instance will be filled in with Principals by the
    WL Server.
    My question is that firstly,
    1. As Authenticate.authenticate is not passed in the uid and pw, will it pick
    those from the env?
    2. Secondly, why does it only accept uid=weblogic & pw=weblogic.
    I will appreciate if some one can put me in the right direction.
    Khalid R. Rizvi
    508-641-1192
    [email protected]

    Hi,
    The authenticate method would take the user and the password details from the environment
    (env) that is passed and after successful authentication would populate the subject with
    the principals (i.e user, group the user belongs to ..)
    It should work with any user that is defined in the WLS not just weblogic/weblogic.
    Do you have any other users defined and which group do they belong to?
    Vimala
    Khalid Rizvi wrote:
    I am playing (learning) with weblogic.security.auth.login.UsernamePasswordLoginModule
    as a LoginModule using JAAS based authentication. Surprisingly, the only userid
    and password combination acceptable is uid=weblogic, pw=weblogic combination.
    I went through and looked at the example code under
    http://e-docs.bea.com/wls/docs70/security/cli_apps.html#1042212. I found that
    the UsernamePasswordLoginModule.login calls into
    if (url != null) {
    Environment env = new Environment();
    env.setProviderUrl(url);
    env.setSecurityPrincipal(username);
    env.setSecurityCredentials(password);
    try {
    Authenticate.authenticate(env, subject);
    Seems like UsernamePasswordLoginModule only is a router, as it instantiates an
    instance of Environemt using the userid and password and passes this Environemtn
    instance (env) to Authenticate.authenticate along with the empty Subject instance.
    I read about that the Subject instance will be filled in with Principals by the
    WL Server.
    My question is that firstly,
    1. As Authenticate.authenticate is not passed in the uid and pw, will it pick
    those from the env?
    2. Secondly, why does it only accept uid=weblogic & pw=weblogic.
    I will appreciate if some one can put me in the right direction.
    Khalid R. Rizvi
    508-641-1192
    [email protected]

  • How to avoid exposing oracle login password in a script?

    Hello,
    How do I avoid exposing the oracle login password in a script?
    Thank you.

    Script is run from another server. I was looking into OPS$ but if I ran the script from a remote server I would have to set the remote_os_authent to TRUE. But that might cause some security issue. Is there a feature in the listener I can set so that if I set the remote_os_authent to TRUE, the listener will only let those remote servers I pre-specify? Thanks.

  • Xmii login password restrictions

    Hi,
    We want to make xMII login password more secure by putting length restriction, special characters etc.
    We are using xMII 11.5.3 b66, please advise how to put password restriction if it is possible with this xMII version.
    Thanks and Regards,
    Alok

    You would need to use another mechanism to provide your authentication, such as LDAP, which can be configured in LHSecurity.
    Regards,
    Jamie

  • About R/3 Login Password

    Hi all..
    I want to know how to compare entered field value with r/3 login pw.
    I'm sure that there are functions or bapies.. but I can't find them..
    Thank you for your answer..

    I believe that the r/3 login password is encrypted/decrpyted at the kernal level.  I believe that what you are looking to do is a security issue and most likely will not be supported by SAP via a BAPI or function module.
    Helpful threads....
    Logon data - user passord
    Password Fields
    How is the user password in SAP R/3 encrypted?
    Regards,
    Rich Heilman

  • Resent a Login Password

    OS X Mountain Lion
    I read somewhere that if someone forget the login password, it can be reset by Restart the MAC and hold Command+R (Recovery HD Partition).
    From the menu, choose Utilities --> Terminal and than type resetpassword and bla bla bla
    Now, I wonder, if all above is true, what is the purpose of a Login Password?

    That is true.
    There are security measures that you can take to protect your computer.
    1. Do not let others use your computer.
    2. Set Firmware password.
    3. Use FileVault encryption.
    For more on this:
    http://support.apple.com/kb/PH10580

  • Heap Problem with weblogic.security.auth.login.PasswordCredential

    Hello,
    I am calling EJB's from a Tomcat 6.0.20. The EJB's are contained on a Weblogic 10 mp2. For getting EJBHome, I'm using the following InitialContext-Call:
    EJBHome home = null;
    try
    Properties initialContextProperties = new Properties();
    initialContextProps.put(InitialContext.INITIAL_CONTEXT_FACTORY, initialContextFactory);
    initialContextProps.put(InitialContext.SECURITY_PRINCIPAL, username);
    initialContextProps.put(InitialContext.SECURITY_CREDENTIALS, password);
    initialContextProps.put(InitialContext.PROVIDER_URL, url);
    initialContext = new InitialContext(initialContextProps);
    Object objref = this.initialContext.lookup(jndiHomeName);
    home = (EJBHome) PortableRemoteObject.narrow(objref, narrowClass);
    finally
    if ( initialContext != null )
    try
    initialContext.close();
    catch(Throwable t)
    return home;
    The Problem is, that after a bulk test on the tomcat (Xmx=256MB), 200MB are filled with 1.500.000 instances of the following class:
    weblogic.security.auth.login.PasswordCredential
    Has somebody an idea how to remove these classes from tomcat heap, because now the result is an OutOfMemory?
    Best regards,
    sebbay

    Hi,
    The authenticate method would take the user and the password details from the environment
    (env) that is passed and after successful authentication would populate the subject with
    the principals (i.e user, group the user belongs to ..)
    It should work with any user that is defined in the WLS not just weblogic/weblogic.
    Do you have any other users defined and which group do they belong to?
    Vimala
    Khalid Rizvi wrote:
    I am playing (learning) with weblogic.security.auth.login.UsernamePasswordLoginModule
    as a LoginModule using JAAS based authentication. Surprisingly, the only userid
    and password combination acceptable is uid=weblogic, pw=weblogic combination.
    I went through and looked at the example code under
    http://e-docs.bea.com/wls/docs70/security/cli_apps.html#1042212. I found that
    the UsernamePasswordLoginModule.login calls into
    if (url != null) {
    Environment env = new Environment();
    env.setProviderUrl(url);
    env.setSecurityPrincipal(username);
    env.setSecurityCredentials(password);
    try {
    Authenticate.authenticate(env, subject);
    Seems like UsernamePasswordLoginModule only is a router, as it instantiates an
    instance of Environemt using the userid and password and passes this Environemtn
    instance (env) to Authenticate.authenticate along with the empty Subject instance.
    I read about that the Subject instance will be filled in with Principals by the
    WL Server.
    My question is that firstly,
    1. As Authenticate.authenticate is not passed in the uid and pw, will it pick
    those from the env?
    2. Secondly, why does it only accept uid=weblogic & pw=weblogic.
    I will appreciate if some one can put me in the right direction.
    Khalid R. Rizvi
    508-641-1192
    [email protected]

Maybe you are looking for

  • Outlook on my iPad is telling me I have 2 emails but they are not appearing in my inbox. Where could they be?!

    Mail is telling me I have 2 emails but I can't see them in my inbox. I've changed the settings so there is no limit to mail days to sync,as lots of messages seemed to be disappearing, but I'm stuck now!

  • Problem loading mod_wl.so in Apache on HP-UX

    After installing mod_wl.so on apache I got this error when i try to run the apache /usr/lib/dld.sl: Can't shl_load() a library containing Thread Local Storage: /usr/lib/libcl.2 /usr/lib/dld.sl: Exec format error Syntax error on line 236 of /opt/apach

  • MD04--- Delivery date--***URGENT***

    Hello Gurus, In md04 the delivery date is pushed out to open sales order date and i see exception 15 What setting in the system makes it look for dependent requirements WE WANT delivery date as per PLANNED LEAD TIME Can any one help me get through th

  • Need Of Important Updates Required Asha 305

    I loved the update of Nokia Asha 305 V7.42. But there are many missing features which are required. Phone memory gets full and only remedy i find is deleting the messages and contacts or going to nokia care and reflashing it. Removing of unwanted app

  • Reset button hides image box

    I have a dynamic form where the users can import jpg images into the form.  This works just fine, but when they reset the form, the image box minimizes and the users are unable to re-use the box without exiting the program and re-entering.  Basically