credentials interview questions
Top credentials frequently asked interview questions
I have android application that has hard coded (static string constants) credentials (user/pass) for sending emails via SMTP.
The problem is that .dex file in .apk can be easily reverse-engineered and everybody can see my password.
Is there a way how to secure these credentials, while i will still be able to use them in my classes?
Source: (StackOverflow)
I am creating an application which connects to the server using username/password and I would like to enable the option "Save password" so the user wouldn't have to type the password each time the application starts.
I was trying to do it with Shared Preferences but am not sure if this is the best solution.
I would appreciate any suggestion on how to store user values/settings in Android application.
Source: (StackOverflow)
I'm working with several repositories, but lately I was just working in our internal one and all was great.
Today I had to commit and push code into other one but I'm having some troubles.
$ git push appharbor master
error: The requested URL returned error: 403 while accessing https://gavekortet@appharbor.com/mitivo.git/info/refs?service=git-receive-pack
fatal: HTTP request failed
there is nothing I can do, that would bring the password entry again.
How can I reset the credentials on my system so Git will ask me for the password of that repo?
I have tried:
git config --global --unset core.askpass
in order to unset the password
git config credential.helper 'cache --timeout=1'
in order to avoid credentials cache...
Nothing seam to work, does anyone have a better idea?
Source: (StackOverflow)
Is it possible to setup a JDBC connection to Oracle without providing username/password information in a configuration file (or in any other standard readable location)?
Typically applications have a configuration file that contains setup parameters to connect to a database. Some DBAs have problems with the fact that usernames and passwords are in clear text in config files.
I don't think this is possible with Oracle and JDBC, but I need some confirmation...
A possible compromise is to encrypt the password in the config file and decrypt it before setting up the connection. Of course, the decryption key should not be in the same config file. This will only solve accidental opening of the config file by unauthorized users.
Source: (StackOverflow)
I want to securely store a plaintext password on Windows PC. I am currently using DPAPI CryptProtectData to encrypt it, then store the encrypted blob in a file in user's local AppData.
In Windows 7, there is Windows Vault, a credential manager (Control Panel\User Accounts and Family Safety\Credential Manager) that stores logon data for a variety of logon types, including "generic credential". On the surface this looks like the right place for a program to store credentials. However, I was not able to find any API for it. I read Authentication function reference in MSDN, but frankly got lost in it.
Is there an API to Windows Vault to store and retrieve credentials from a program, and, if yes, where can I find documentation?
Source: (StackOverflow)
We're having a hard time figuring how these credentials objects work. In fact, they may not work how we expected them to work. Here's an explanation of the current issue.
We got 2 servers that needs to talk with each other through webservices. The first one (let's call it Server01) has a Windows Service running as the NetworkService account. The other one Server02 has ReportingServices running with IIS 6.0. The Windows Service on Server01 is trying to use the Server02 ReportingServices WebService to generate reports and send them by email.
So, here's what we tried so far.
Setting the credentials at runtime (This works perfectly fine):
rs.Credentials = new NetworkCredentials("user", "pass", "domain");
Now, if we could use a generic user all would be fine, however... we are not allowed to. So, we are trying to use the DefaultCredetials or DefaultNetworkCredentials and pass it to the RS Webservice:
rs.Credentials = System.Net.CredentialCache.DefaultNetworkCredentials
Or:
rs.Credentials = System.Net.CredentialCache.DefaultCredentials
Either way won't work. We're always getting 401 Unauthrorized from IIS. Now, what we know is that if we want to give access to a resource logged as NetworkService, we need to grant it to DOMAIN\MachineName$ (http://msdn.microsoft.com/en-us/library/ms998320.aspx):
Granting Access to a Remote SQL Server
If you are accessing a database on another server in the same domain (or in a trusted domain), the Network Service account's network credentials are used to authenticate to the database. The Network Service account's credentials are of the form DomainName\AspNetServer$, where DomainName is the domain of the ASP.NET server and AspNetServer is your Web server name.
For example, if your ASP.NET application runs on a server named SVR1 in the domain CONTOSO, the SQL Server sees a database access request from CONTOSO\SVR1$.
We assumed that granting access the same way with IIS would work. However, it does not. Or at least, something is not set properly for it to authenticate correctly.
So, here are some questions:
We've read about "Impersonating Users" somewhere, do we need to set this somewhere in the Windows Service ?
Is it possible to grant access to the NetworkService built-in account to a remote IIS server ?
Thanks for reading!
Source: (StackOverflow)
I have a WCF service using BasicHttpBinding with Windows authentication.
Most clients are domain accounts and connect to the service using their default credentials.
Now I want to connect to the service from an ASP.NET client that is running under a local account. I want to connect to the WCF service using windows credentials (domain\user and password) that are available to the ASP.NET application.
I know I can do this in code using ClientBase<T>.ClientCredentials.
Is there a way to specify the credentials (domain\user and password) in the client's web.config file so I don't have to change the code?
EDIT
If it can't be done in the configuration file, is there a way of using System.Net.ICredentials or System.Net.NetworkCredential as a credential for a WCF service?
The .NET Framework provides these as a homogenous way to provide network credentials, but with WCF this seems to have been thrown out in favour of a new incompatible system based on the unrelated System.ServiceModel.Description.ClientCredentials class.
EDIT 2
Accepting Marc's answer to the original question - it seems there is no way to do this in the client configuration file :(
I would see this as a deficiency in WCF - I don't accept that Microsoft should be deliberately discouraging us from putting credentials in the configuration file - after all they have to be stored somewhere, and the Framework includes facilities for encrypting the config file. I guess I could create a custom BehaviorExtensionElement for this, but it ought to be available out of the box.
It's also a bit inconsistent: the system.net/mailSettings/smtp/network configuration element allows credentials to be specified, so why not WCF?
Regarding the second question about using System.Net.NetworkCredential, it seems from this blog that it is possible, at least when using Windows authentication, with the following code:
factory.Credentials.Windows.ClientCredential =
new System.Net.NetworkCredential(name, password, domain);
Source: (StackOverflow)
I was doing something like described in this post to save credentials in a secured file so our automated process can use that to run remote PS scripts via Invoke-command:
http://blogs.technet.com/b/robcost/archive/2008/05/01/powershell-tip-storing-and-using-password-credentials.aspx
This works great when I run this under my account - password is read from encrypted file, passed to Invoke-command and everything is fine.
Today, when my script was ready for its prime time, I tried to run it under windows account that will be used by automated process and got this error below while my script was trying to read secured password from a file:
ConvertTo-SecureString : Key not valid for use in specified state.
At \\remoted\script.ps1:210 char:87
+ $password = get-content $PathToFolderWithCredentials\pass.txt | convertto-sec
urestring <<<<
+ CategoryInfo : InvalidArgument: (:) [ConvertTo-SecureString], C
ryptographicException
+ FullyQualifiedErrorId : ImportSecureString_InvalidArgument_Cryptographic
Error,Microsoft.PowerShell.Commands.ConvertToSecureStringCommand
Asked my workmate to run under his account and he got the same error.
This is the code I am using to save credentials:
$PathToFolderWithCredentials = "\\path\removed"
write-host "Enter login as domain\login:"
read-host | out-file $PathToFolderWithCredentials\login.txt
write-host "Enter password:"
read-host -assecurestring | convertfrom-securestring | out-file $PathToFolderWithCredentials\pass.txt
write-host "*** Credentials have been saved to $pathtofolder ***"
This is the code in the script to run by automated process to read them to use in Invoke-command:
$login= get-content $PathToFolderWithCredentials\login.txt
$password = get-content $PathToFolderWithCredentials\pass.txt | convertto-securestring
$credentials = new-object -typename System.Management.Automation.PSCredential -argumentlist $login,$password
Error happens on line $password = get-content $PathToFolderWithCredentials\pass.txt | convertto-securestring
Any ideas?
Source: (StackOverflow)
I simply want to query the Credentials Store (or Vault as it is called in Win8) and get the login data. The MSDN is really unhelpful in this case and I also do not want any C++ pInvoke approaches.
I know that similar questions have been asked here a few times, but none of those solutions work in my case. I do not use Metro App programming so things like PasswordVault are (as it looks) not available. I just create a simple C# WPF Desktop application.
Ideally it should work in several Windows versions, but Win8 is prefered.
More specifically I want to query the stored data from the CRM plugin for Outlook to automatically have my app log in to the CRM Server without having the User to ask for his Credentials. That means, if this is even possible...
So how do I access the Windows Credentials Store?
Source: (StackOverflow)
Oracle's "Http Authentication" page from the Java SE 6 documentation says that "if you are running on a Windows machine as a domain user, or, you are running on a Linux or Solaris machine that has already issued the kinit command and got the credential cache" then the instance passed to Authenticator.setDefault() "will be completely ignored".
This matches what I observed: setting up an HTTP or HTTPS connection on a Windows system to host X always passes the credentials for host X from the 'Windows Credentials' of the 'Windows Vault', as seen in my Windows 7 'Credential Manager' Control Panel page.
However, in my use case I don't want to use any credentials which might be stored by Windows, but instead I always want to use credentials I explicitly specify in the code.
Is there a way to override the documented behavior, i.e., is there a way to ignore the credentials stored by Windows?
Update: If not, could someone point me to a place in the Java SE 6 source code where I can see that the stored Windows credentials cannot be ignored?
Source: (StackOverflow)
I'm creating a site which will make use of ID's, Passwords, and API Keys to other 3rd party sites - for the server to access information accordingly. For the purpose of this conversation, let's assume it is for a payment gateway - meaning exposure of this information that is stored in the DB could mean a malicious user could withdraw cash from the account whose credentials were leaked.
Unfortunately this isn't like a password / hashing situation, because the user does not input the credentials every time - they input it once and it is then saved on the server for future use by the application.
The only reasonable method that I can come up with (this will be a MySQL/PHP application), is to encrypt the credentials via a hardcoded "password" in the PHP application. The only benefit here is that if the malicious user/hacker gains access to the database, but not the PHP code, they still have nothing. That said, this seems pointless to me because I think we can reasonably assume that a hacker will get everything if they get one or the other - right?
If the community decides upon some good solutions, it would be nice to gather other sources to examples/tutorials/more in depth information so that this can be implemented in the future for everyone.
I was surprised I did not see this question with any good answers on stack already. I did find this one, but in my case this doesn't really apply: How should I ethically approach user password storage for later plaintext retrieval?
Thanks all.
Source: (StackOverflow)
I've updated the Subversion plugin of jenkins to version 2.2
Now i get following error for repos which build the first time after the upgrade and for repos where something within an external changed. It works for all other builds as expected.
I tried to add additional credentials but this did not help.
Now i hope someone has an idea what else can be tried to fix this annyoing issue.
The error:
hudson.util.IOException2: revision check failed on http://XXX/svn/XXX/Website/Config/trunk
at hudson.scm.SubversionChangeLogBuilder.buildModule(SubversionChangeLogBuilder.java:189)
at hudson.scm.SubversionChangeLogBuilder.run(SubversionChangeLogBuilder.java:132)
at hudson.scm.SubversionSCM.calcChangeLog(SubversionSCM.java:738)
at hudson.scm.SubversionSCM.checkout(SubversionSCM.java:899)
at hudson.model.AbstractProject.checkout(AbstractProject.java:1411)
at hudson.model.AbstractBuild$AbstractBuildExecution.defaultCheckout(AbstractBuild.java:671)
at jenkins.scm.SCMCheckoutStrategy.checkout(SCMCheckoutStrategy.java:88)
at hudson.model.AbstractBuild$AbstractBuildExecution.run(AbstractBuild.java:580)
at hudson.model.Run.execute(Run.java:1670)
at hudson.model.FreeStyleBuild.run(FreeStyleBuild.java:46)
at hudson.model.ResourceController.execute(ResourceController.java:88)
at hudson.model.Executor.run(Executor.java:231)
Caused by: org.tmatesoft.svn.core.SVNCancelException: svn: E200015: OPTIONS /svn/XXX/Website/Config/trunk failed
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:384)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:373)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:361)
at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.performHttpRequest(DAVConnection.java:707)
at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.exchangeCapabilities(DAVConnection.java:627)
at org.tmatesoft.svn.core.internal.io.dav.DAVConnection.open(DAVConnection.java:102)
at org.tmatesoft.svn.core.internal.io.dav.DAVRepository.openConnection(DAVRepository.java:1020)
at org.tmatesoft.svn.core.internal.io.dav.DAVRepository.getLatestRevision(DAVRepository.java:180)
at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgRepositoryAccess.getRevisionNumber(SvnNgRepositoryAccess.java:118)
at org.tmatesoft.svn.core.internal.wc2.SvnRepositoryAccess.getLocations(SvnRepositoryAccess.java:148)
at org.tmatesoft.svn.core.internal.wc2.ng.SvnNgRepositoryAccess.createRepositoryFor(SvnNgRepositoryAccess.java:45)
at org.tmatesoft.svn.core.internal.wc2.remote.SvnRemoteLog.run(SvnRemoteLog.java:160)
at org.tmatesoft.svn.core.internal.wc2.remote.SvnRemoteLog.run(SvnRemoteLog.java:35)
at org.tmatesoft.svn.core.internal.wc2.SvnOperationRunner.run(SvnOperationRunner.java:20)
at org.tmatesoft.svn.core.wc2.SvnOperationFactory.run(SvnOperationFactory.java:1238)
at org.tmatesoft.svn.core.wc2.SvnOperation.run(SvnOperation.java:294)
at org.tmatesoft.svn.core.wc.SVNLogClient.doLog(SVNLogClient.java:967)
at org.tmatesoft.svn.core.wc.SVNLogClient.doLog(SVNLogClient.java:872)
at hudson.scm.SubversionChangeLogBuilder.buildModule(SubversionChangeLogBuilder.java:177)
... 11 more
Caused by: org.tmatesoft.svn.core.SVNCancelException: svn: E200015: No credential to try. Authentication failed
at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.cancel(SVNErrorManager.java:37)
at org.tmatesoft.svn.core.internal.wc.SVNErrorManager.cancel(SVNErrorManager.java:32)
at org.tmatesoft.svn.core.internal.wc.DefaultSVNAuthenticationManager.getFirstAuthentication(DefaultSVNAuthenticationManager.java:185)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection._request(HTTPConnection.java:694)
at org.tmatesoft.svn.core.internal.io.dav.http.HTTPConnection.request(HTTPConnection.java:382)
... 29 more
Source: (StackOverflow)
git-credential-winstore works perfect with github and bitbucket repositories, but the prompt does not pop up while working with self hosted repositories. I can' t see what the problem is.
I' ve tried :
git config --global credential.helper winstore
via console
[credential]
helper = winstore
in gitconfig and created and stored the credentials manualy. Without success.
Can anyone point me to te right direction please? Im using Win7.
Best regards.
Source: (StackOverflow)
If I want to store the username and password to be used inside an Android application, what is the best way to do it? Is it through the preferences screen (but what if the user misses this?), or pop up a dialog box and ask the user for the credentials? If so, I do have to maintain state for the application. How would I do this?
Source: (StackOverflow)