Specific to the security of passwords: hashing, entropy, cracking, resets, lockouts, etc.
360
votes
20answers
56k views
XKCD #936: Short complex password, or long dictionary passphrase?
How accurate is this XKCD comic from August 10, 2011?
XKCD 936: Password Strength
I've always been an advocate of long rather than complex passwords, but most security people (at least the ones ...
207
votes
13answers
36k views
What technical reasons are there to have low maximum password lengths?
I have always wondered why so many websites have very firm restrictions on password length (exactly 8 characters, up to 8 characters, etc). These tend to be banks or other sites I actually care about ...
198
votes
16answers
18k views
How does changing your password every 90 days increase security?
Where I work I'm forced to change my password every 90 days. This security measure has been in place in many organizations for as long as I can remember. Is there a specific security vulnerability ...
194
votes
9answers
20k views
Is my developer's home-brew password security right or wrong, and why?
Our developer, let's call him 'Dave', insists on using a home-brew script for hashing passwords. See Dave's proposal below.
We have already researched and adopted an industry standard protocol using ...
168
votes
13answers
27k views
Are passwords stored in memory safe?
I just realized that, in any language, when you save a password in a variable, it is stored as plain text in the memory.
I think the OS does its job and forbids processes from accessing each other's ...
168
votes
4answers
40k views
Do any security experts recommend bcrypt for password storage?
On the surface bcrypt, an 11 year old security algorithm designed for hashing passwords by Niels Provos and David Mazieres, which is based on the initialization function used in the NIST approved ...
134
votes
19answers
7k views
Passwords Being Sent in Clear Text Due to Users' Mistake in Typing it in the Username Field
Upon reviewing the Logs generated by different SIEMs (Splunk, HP Logger Trial and the AlienVault platform’s SIEM) I noticed that for some reason quite a few users tend to make the mistake of typing ...
120
votes
7answers
8k views
How to store salt?
Nowadays, if we expect to store user password securely, we need at least do the following thing
$pwd=hash(hash($password) + salt)
then store $pwd in your system instead of the real password. I have ...
105
votes
11answers
13k views
How to securely hash passwords?
If I hash passwords before storing them in my database, is that sufficient to prevent them being recovered by anyone?
I should point out that this relates only to retrieval directly from the ...
60
votes
13answers
5k views
VP of IT claims he unhashed 100% of all 16k employees' PWs. Is he lying to us?
I work for a company which has ~16,000 employees. Periodically, our VP of IT sends out a newsletter with "tech-tips" and misc IT stuff. The topic of this week's newsletter was "password security". ...
50
votes
13answers
7k views
Why do sites implement locking after 3 failed password attempts?
I know the reasoning behind not letting infinite password attempts -- brute force attempts is not a meatspace weakness, but a problem with computer security -- but where did they get the number 3 ...
50
votes
19answers
4k views
How can I avoid my password being harvested by key loggers from internet cafes?
During traveling, especially in poor countries, sometimes you are going to need to use the internet at an internet cafe and you really can't be sure whether anyone has installed anything to listen to ...
48
votes
12answers
2k views
How do you log in from an unsecured computer?
Suppose that you are on a cybercafe, at a friend's home or at your work office, and you need to log in on a site, but you feel that the the computer can not be trusted (e.g. your friend isn't ...
43
votes
11answers
6k views
How reliable is a password strength checker?
I've tested the tool from Microsoft available here which tests password strength and rates them. For a password such as "i am going to have lunch tonight", the tool rates it's strength as "BEST" and ...
41
votes
5answers
5k views
Is sending password to user email secure?
How secure is sending passwords through email to a user, since email isn't secured by HTTPS.
What is the best way to secure it? Should i use encryption?
