Questions tagged [passwords]
Specific to the security of passwords: hashing, entropy, cracking, resets, lockouts, etc.
4,080 questions
4votes
2answers
656views
Are truncated SHA-256 hashes safe enough when collisions are not a risk?
Apologies if this is a duplicate, I’m having trouble even to find the right words for it. As far as I am aware, password authentication usually works in a way that the server stores a hash of the ...
- 153
2votes
0answers
49views
Why can't a Cognito user in the FORCE_CHANGE_PASSWORD state go through the forgot password flow?
If an AWS Cognito User Pool user is in the FORCE_CHANGE_PASSWORD state, they won't be able to go through the "forgot your password" flow to get a password-reset confirmation code. Why not? ...
- 121
11votes
2answers
5kviews
Why aren't passwords also hashed on client side on desktop applications?
My understanding of the standard best practice way to handle passwords is: Establish a secure encrypted connection between client and server. Client sends password in plaintext over this encrypted ...
- 113
3votes
1answer
194views
SHA-256: thoughts and experiment
Take the following sequence, for example: hello! = string a SHA-256 of a: ce06092fb948d9ffac7d1a376e404b26b7575bcc11ee05a4615fef4fec3a308b = b SHA-256 of b: ...
3votes
1answer
390views
What does the parallelism parameter in memory-hard password hashing algorithms adjust?
When I change the parallelism parameter on Scrypt or on Argon2, which processing unit's threads do I influence? The CPU's threads? The GPU's threads? How does this all work?
14votes
3answers
4kviews
Security implications to removing delay on empty passwords?
Login prompts on many systems (like Ubuntu) have a delay if an incorrect password is used. I understand this is to inhibit brute force attacks. Would there be any security implications to having no ...
- 241
8votes
2answers
4kviews
Is password-based encryption better than traditional password hashing?
I have a theoretical question regarding the comparison of password-based encryption and password hashing. Not sure if Stackoverflow or crypto is the best place, but this is more on the side of ...
0votes
1answer
84views
How many passphrases should I use? [closed]
I have a password manager, an email, two computers with full disk encryption, their corresponding encrypted backup (two in total) on an external disk and user. How many passphrases should I use? I was ...
8votes
3answers
3kviews
Password change frequency for technical accounts
It has become clear that asking users to regularly change their passwords does not improve security, and has thus been forbidden e.g. by NIST and BSI. Does this advice also apply for technical ...
- 677
1vote
2answers
112views
How can you check password for similarities if you don't know the password as password hashing is one-way? For example, you forget your password
For example, you forget your password. How can you change the password with forget password? For example, if you don't have an email associated with that account yet. I was thinking of asking the user ...
5votes
1answer
1kviews
Doesn't saving an SSH passphrase (as suggested by GitHub) negate the security benefits of using a passphrase?
From GitHub Docs: With SSH keys, if someone gains access to your computer, the attacker can gain access to every system that uses that key. To add an extra layer of security, you can add a passphrase ...
- 153
0votes
1answer
163views
Most hacker-proof login page
I'm trying to think of a way to create the most hacker-proof login system that I can only get into. Currently my login page only consists of a password box and a button to submit data. Its run on an ...
- 11
21votes
7answers
8kviews
Is it viable to defend against brute force attacks by rejecting correct passwords?
(found on reddit) [translation: the website is programmed to reject the login if it is the correct password and if it is the first login attempt] Assume that the scheme is to reject the first correct ...
- 6,841
0votes
1answer
112views
Reasonable model for Storing credentials for use in scripts
I was reading question 180243 which states that using a password vault is the best option for credential storage. However this is rather cumbersome to setup. For a lower security use case (so no PII ...
11votes
4answers
7kviews
Why does one have to hit enter after typing one's Windows password to log in, while it's not to hit enter after typing one's PIN?
I've noticed that on Windows 10, one has to hit enter after typing one's Windows password to log in, while it's not to hit enter after typing one's PIN. Is there a security reason to it? Typing one's ...
