passwords interview questions
Top passwords frequently asked interview questions
In Swing, the password field has a getPassword() (returns char[]) method instead of the usual getText() (returns String) method. Similarly, I have come across a suggestion not to use String to handle passwords.
Why does String pose a threat to security when it comes to passwords?
It feels inconvenient to use char[].
Source: (StackOverflow)
I'm currently using the following to generate an 8 character pseudo random upper case string [A-Z]
value = ""; 8.times{value << (65 + rand(25)).chr}
but it looks junky, and since it isn't a single statement it can't be passed as an argument. To get a mixed case string [a-zA-Z] I further hack into it with
value = ""; 8.times{value << ((rand(2)==1?65:97) + rand(25)).chr}
Just looks like trash. Anyone have a better method?
Source: (StackOverflow)
Every now and then I hear the advice "Use bcrypt for storing passwords in PHP, bcrypt rules".
But what is bcrypt? PHP doesn't offer any such functions, Wikipedia babbles about a file-encryption utility and Web searches just reveal a few implementations of Blowfish in different languages. Now Blowfish is also available in PHP via mcrypt, but how does that help with storing passwords? Blowfish is a general purpose cipher, it works two ways. If it could be encrypted, it can be decrypted. Passwords need a one-way hashing function.
What is the explanation?
Source: (StackOverflow)
We just upgraded our Visual Studio 2008 projects to Visual Studio 2010. All of our assemblies were strong signed using a Verisign code signing certificate. Since the upgrade we continuously get the following error:
Cannot import the following key file: companyname.pfx. The key file may be password protected. To correct this, try to import the certificate again or manually install the certificate to the Strong Name CSP with the following key container name: VS_KEY_3E185446540E7F7A
This happens on some developer machines and not others. Some methods used to fix this that worked some of the time include:
- Re-installing the key file from Windows Explorer (right click on the PFX file and click Install)
- Installing Visual Studio 2010 on a fresh machine for the first time prompts you for the password the first time you open the project, and then it works. On machines upgraded from Visual Studio 2008, you don't get this option.
I've tried using the SN.EXE utility (Strong Name Tool) to register the key with the Strong Name CSP as the error message suggests, but whenever I run the tool with any options using the version that came with Visual Studio 2010, SN.EXE just lists its command line arguments instead of doing anything. This happens regardless of what arguments I supply.
Why is this happening, and what are clear steps to fix it? I'm about to give up on ClickOnce installs and Microsoft code signing.
Source: (StackOverflow)
I am trying to generate a random password in php.
However I am getting all 'a's and the return type is of type array and I would like it to be a string. Any ideas on how to correct the code?
Thanks.
function randomPassword() {
$alphabet = "abcdefghijklmnopqrstuwxyzABCDEFGHIJKLMNOPQRSTUWXYZ0123456789";
for ($i = 0; $i < 8; $i++) {
$n = rand(0, count($alphabet)-1);
$pass[$i] = $alphabet[$n];
}
return $pass;
}
Source: (StackOverflow)
When connecting to a network share for which the current user (in my case, a network enabled service user) has no rights, name and password have to be provided.
I know how to do this with Win32 functions (the WNet* family from mpr.dll), but would like to do it with .Net (2.0) functionality.
What options are available?
Maybe some more information helps:
- The use case is a windows service, not an Asp.Net application.
- The service is running under an account which has no rights on the share.
- The user account needed for the share is not known on the client side.
- Client and server are not members of the same domain.
Source: (StackOverflow)
I have come across a problem with binding to a PasswordBox. It seems it's a security risk but I am using the MVVM pattern so I wish to bypass this. I found some interesting code here (has anyone used this or something similar?)
http://www.wpftutorial.net/PasswordBox.html
It technically looks great, but i am unsure of how to retrieve the password.
I basically have properties in my LoginViewModel for Username and Password. Username is fine and is working as it's a TextBox.
I used the code above as stated and entered this
<PasswordBox ff:PasswordHelper.Attach="True"
ff:PasswordHelper.Password="{Binding Path=Password}" Width="130"/>
When I had the PasswordBox as a TextBox and Binding Path=Password then the property in my LoginViewModel was updated.
My code is very simple, basically I have a Command for my Button. When I press it CanLogin is called and if it returns true it calls Login.
You can see I check my property for Username here which works great.
In Login I send along to my service a Username and Password, Username contains data from my View but Password is Null|Empty
private DelegateCommand loginCommand;
public string Username { get; set; }
public string Password { get; set; }
public ICommand LoginCommand
{
get
{
if (loginCommand == null)
{
loginCommand = new DelegateCommand(
Login, CanLogin );
}
return loginCommand;
}
}
private bool CanLogin()
{
return !string.IsNullOrEmpty(Username);
}
private void Login()
{
bool result = securityService.IsValidLogin(Username, Password);
if (result) { }
else { }
}
This is what I am doing
<TextBox Text="{Binding Path=Username, UpdateSourceTrigger=PropertyChanged}"
MinWidth="180" />
<PasswordBox ff:PasswordHelper.Attach="True"
ff:PasswordHelper.Password="{Binding Path=Password}" Width="130"/>
I have my TextBox, this is no problem, but in my ViewModel the Password is empty.
Am I doing something wrong or missing a step?
I put a breakpoint and sure enough the code enter the static helper class but it never updates my Password in my ViewModel.
Source: (StackOverflow)
I've always been curious... Which is better when salting a password for hashing: prefix, or postfix? Why? Or does it matter, so long as you salt?
To explain: We all (hopefully) know by now that we should salt a password before we hash it for storage in the database [Edit: So you can avoid things like what happened to Jeff Atwood recently]. Typically this is done by concatenating the salt with the password before passing it through the hashing algorithm. But the examples vary... Some examples prepend the salt before the password. Some examples add the salt after the password. I've even seen some that try to put the salt in the middle.
So which is the better method, and why? Is there a method that decreases the chance of a hash collision? My Googling hasn't turned up a decent analysis on the subject.
Edit: Great answers folks! I'm sorry I could only pick one answer. :)
Source: (StackOverflow)
I am creating an application that will store passwords, which the user can retrieve and see. The passwords are for a hardware device, so checking against hashes are out of the question.
What I need to know is:
How do I encrypt and decrypt a password in PHP?
What is the safest algorithm to encrypt the passwords with?
Where do I store the private key?
Instead of storing the private key, is it a good idea to require users to enter the private key any time they need a password decrypted? (Users of this application can be trusted)
In what ways can the password be stolen and decrypted? What do I need to be aware of?
Source: (StackOverflow)
Scenario: An interactive CLI Python program, that is in need for a password. That means also, there's no GUI solution possible.
In bash I could get a password read in without re-prompting it on screen via
read -s
Is there something similar for Python? I.e.,
password = raw_input('Password: ', dont_print_statement_back_to_screen)
Alternative: Replace the typed characters with '*' before sending them back to screen (aka browser' style).
Source: (StackOverflow)
How much more safe is this than plain MD5? I've just started looking into password security. I'm pretty new to PHP.
$salt = 'csdnfgksdgojnmfnb';
$password = md5($salt.$_POST['password']);
$result = mysql_query("SELECT id FROM users
WHERE username = '".mysql_real_escape_string($_POST['username'])."'
AND password = '$password'");
if (mysql_num_rows($result) < 1) {
/* Access denied */
echo "The username or password you entered is incorrect.";
}
else {
$_SESSION['id'] = mysql_result($result, 0, 'id');
#header("Location: ./");
echo "Hello $_SESSION[id]!";
}
Source: (StackOverflow)
When an EditText is in password mode, it seems that the hint is shown in a different font (courrier?). How can I avoid this? I would like the hint to appear in the same font that when the EditText is not in password mode.
My current xml:
<EditText
android:hint="@string/edt_password_hint"
android:layout_width="fill_parent"
android:layout_height="wrap_content"
android:password="true"
android:singleLine="true" />
Source: (StackOverflow)
I'm looking at hashing algorithms, but couldn't find an answer.
- Bcrypt uses Blowfish
- Blowfish is better than MD5
- Q: but is Blowfish better than SHA512?
Thanks..
Update:
I want to clarify that I understand the difference between hashing and encryption. What prompted me to ask the question this way is this article, where the author refers to bcrypt as "adaptive hashing"
https://www.nccgroup.trust/us/about-us/newsroom-and-events/blog/2007/july/enough-with-the-rainbow-tables-what-you-need-to-know-about-secure-password-schemes/
Since bcrypt is based on Blowfish, I was led to think that Blowfish is a hashing algorithm. If it's encryption as answers have pointed out, then seems to me like it shouldn't have a place in this article. What's worse is that he's concluding that bcrypt is the best.
What's also confusing me now is that the phpass class (used for password hashing I believe) uses bcrypt (i.e. blowfish, i.e. encryption). Based on this new info you guys are telling me (blowfish is encryption), this class sounds wrong. Am I missing something?
Source: (StackOverflow)
Is hashing a password twice before storage any more or less secure than just hashing it once?
What I'm talking about is doing this:
$hashed_password = hash(hash($plaintext_password));
instead of just this:
$hashed_password = hash($plaintext_password);
If it is less secure, can you provide a good explanation (or a link to one)?
Also, does the hash function used make a difference? Does it make any difference if you mix md5 and sha1 (for example) instead of repeating the same hash function?
Note 1: When I say "double hashing" I'm talking about hashing a password twice in an attempt to make it more obscured. I'm not talking about the technique for resolving collisions.
Note 2: I know I need to add a random salt to really make it secure. The question is whether hashing twice with the same algorithm helps or hurts the hash.
Source: (StackOverflow)
I need to implement 256 bit AES encryption, but all the examples I have found online use a "KeyGenerator" to generate a 256 bit key, but I would like to use my own passkey. How can I create my own key? I have tried padding it out to 256 bits, but then I get an error saying that the key is too long. I do have the unlimited jurisdiction patch installed, so thats not the problem :)
Ie. The KeyGenerator looks like this ...
// Get the KeyGenerator
KeyGenerator kgen = KeyGenerator.getInstance("AES");
kgen.init(128); // 192 and 256 bits may not be available
// Generate the secret key specs.
SecretKey skey = kgen.generateKey();
byte[] raw = skey.getEncoded();
Code taken from here
EDIT
I was actually padding the password out to 256 bytes, not bits, which is too long. The following is some code I am using now that I have some more experience with this.
byte[] key = null; // TODO
byte[] input = null; // TODO
byte[] output = null;
SecretKeySpec keySpec = null;
keySpec = new SecretKeySpec(key, "AES");
Cipher cipher = Cipher.getInstance("AES/CBC/PKCS7Padding");
cipher.init(Cipher.ENCRYPT_MODE, keySpec);
output = cipher.doFinal(input)
The "TODO" bits you need to do yourself :-)
Source: (StackOverflow)