Questions tagged [password-management]
The functions performed by the person or processes responsible for security of passwords on a given system.
1,346 questions
0votes
0answers
20views
Are secrets from automatically unlocked keychain in Ubuntu 24.04 Seahorse accessible for any application?
I am familiarizing with Ubuntu 24.04 and Seahorse. I recently connected to a password-protected network drive, and the password is now stored in my "login" keyring, which is encrypted with ...
11votes
2answers
5kviews
Why aren't passwords also hashed on client side on desktop applications?
My understanding of the standard best practice way to handle passwords is: Establish a secure encrypted connection between client and server. Client sends password in plaintext over this encrypted ...
- 113
14votes
3answers
4kviews
Security implications to removing delay on empty passwords?
Login prompts on many systems (like Ubuntu) have a delay if an incorrect password is used. I understand this is to inhibit brute force attacks. Would there be any security implications to having no ...
- 241
8votes
3answers
3kviews
Password change frequency for technical accounts
It has become clear that asking users to regularly change their passwords does not improve security, and has thus been forbidden e.g. by NIST and BSI. Does this advice also apply for technical ...
- 677
0votes
1answer
112views
Reasonable model for Storing credentials for use in scripts
I was reading question 180243 which states that using a password vault is the best option for credential storage. However this is rather cumbersome to setup. For a lower security use case (so no PII ...
1vote
2answers
169views
Why is using a password manager considered a good practice? [duplicate]
I don't understand why people recommend password managers. If my password that I reuse for websites a,b,c gets acquired somehow, then my credentials for websites a,b,c are compromised. On the other ...
- 222
2votes
1answer
386views
What's the best method of securing keys/passwords used by a PowerShell script that runs when no user is logged in, using only one server, for free?
I have a server set up to run a PowerShell script every 15 minutes. This script needs to make API requests with keys and passwords. The script runs even when no user is logged in, so encryption based ...
user258111
0votes
1answer
115views
Encryption password in program, to secure its centrally-stored settings?
I was thinking of implementing this in software, starting with one password, with each new release being derived from that initial password. (trying to find the name of this technique, I think it's ...
- 113
0votes
1answer
148views
Why is "not storing data protection keys" not a popular choice?
In the NIST SP 800-132, they specified two ways to use the data protection key (DPK) that is derived from a password. One of them is to use the DPK to encrypt data, and then, if I am not mistaken, ...
- 13
1vote
2answers
175views
Are router admin-panel passwords hashed? Do they need to be?
Are router admin-panel passwords hashed? Do they need to be? Am I right to think that that the only way an attacker could extract a router password (hashed or not) from the router is have physical ...
- 4,735
19votes
7answers
6kviews
Is it secure to block passwords that are too similar to other employees' old passwords?
At my work, they don’t like different employees having ‘partially matching passwords.’ I had never thought anything of it before, but just now I realised what this means (or might mean.) When I ...
- 4,735
1vote
2answers
840views
Whats the safest way to store 2fa/mfa secret key in database?
I try to implement a secure user login in my .net application. The first password is hashed with argon2id. The salt and the hashed password is stored in a database. SSL encryption and HttpOnly Cookie ...
1vote
2answers
506views
Why shouldn't I use the OAuth password grant if I have to implement a custom username+password login anyway?
I'm building a web REST API. Users must be able to authenticate themselves to this API. I don't know ahead of time which clients will want to use the API. I want to allow for the possibility of anyone ...
23votes
4answers
10kviews
Whats the safest way to store a password in database?
I read that a password and a salt needs to be combined and then hashed. You save the result and the salt in plaintext. Is it a good practice to use the username as a salt? Why and why not? I also read ...
0votes
0answers
49views
difference between password managers and apfs encrypted containers
How do password managers and encrypted containers differ in how they handle data in encrypted and decrypted state? Do password managers typically store data in decrypted state only in memory, while ...
