Log in: username + password, or pin-code [closed]

For online services handling economic transactions, which login method has the best conversion rates:

  1. Username/e-mail and password
  2. E-mail/phone-number & a link sent to the user (like Swedish Klarna https://www.klarna.com/se/) does?

Does anybody know of research or studies regarding this? What are the results?

security – mask username and password in service file, or better approach

There are a couple of accepted practices.

  1. The old way. Use the OS to manage the user, run your program as an OS user. Let the OS manage the password safety ie windows service/IIS app pool/Linux… whatever

  2. The new way. Use a configuration/service mesh such as Consul/Nomad every service gets TLS and authentication pushed out to it and centrally managed + various dns and gateway trickery

  3. Various off the shelf products that essentially automate 1

  4. Lock down the boxes and deploy plain text user/pass via a deployment tool which securely stores the info. Here the security boundary is the box, so you don’t let anyone log onto it except the deployment system, on which you implement your security.

  5. Boxes get SSL keys that authenticate whatever is running on them. You can get the username/pass, but it will only work from that box. Limiting the problem.

Bad ways that people do anyway

  1. Two way “encrypt” the username/password. Bad because, if the attacker can read the config then they can presumably read the program files as well and hence decrypt the config.

  2. Have some central user repository that the box connects to to get the latest password. Obviously the box needs authentication in order to connect to the central location, so once an attacker has that they can retrieve any password they like.

Overall, you are trying to limit your risk and attack surface. A plain text password in config isn’t necessarily bad, as long as have other security layers in place.

For example your API has the database password. but

  1. The box is secured, no one can log on and read the file
  2. The firewall only allows database connections from the API boxes
  3. The db user is specific to the APIs database
  4. The database user only has permissions needed by the API
  5. The password changes often

Now if the password leaks, an attacker still has to breach the other security ontrols before any information leaks.

The main thing you are trying to protect yourself from with these service passwords is internal attackers, or more probably, internal breaches of various data protection legislation audits.

ie. sysadmin team have root access to box, box has plaintext db password, sysadmin can connect to db, password never changes.

You fill in the “who has access to personal information on the DB” question on your audit as “no-one”, but when you check the log you see the sysadmin logs in with the service user all the time to do maintenance because “everyone knows it”.

“That will never happen because we rot13 the password” will probably satisfy the auditor and your risk register, but it’s obfuscation rather than security.

crash – Macbook big sur not asking for password after closing lid

this past month i noticed my macbook pro does not lock the screen after closing the lid. this happened twice in the past month. after the first time it happened, i did a fresh install and reset smc and nvram.

the problem occurred again today and the logs are filled with google chrome and launchd stuff when the lid was supposedly closed. in the morning after around 7 hours, i woke up to it unlocked and right where i left off.

anyone else experience this before? what can i do? is this a security issue?

How can I remove HDD data if Windows password entered is the one fake?

Your privacy

By clicking “Accept all cookies”, you agree Stack Exchange can store cookies on your device and disclose information in accordance with our Cookie Policy.




how to perform passord attack on a file that already has user MD5 password for 100 user using MD5SUM

I have a text file that contains md5 passwords of 100 users. I need to perform dictionary attack to decrypt password if possible using my rockyou.txt dictionary. Also if I want to use a bash script to compute md5 values using md5sum,how that can be done please.

upgrade – How to change password version by myself in oracle?

Oracle documentation (18c) says:

….

You must expire the users who have only the 10G password version, and
do not have one or both of the 11G or 12C password versions.

For example:

ALTER USER username PASSWORD EXPIRE;

Ask the users whose passwords you expired to log in. When the users
log in, they are prompted to change their passwords. The database
generates the missing 11G and 12C password versions for their account,
in addition to the 10G password version. The 10G password version
continues to be present, because the database is running in the
permissive mode.

But, there is some way to do it by myself? (and to use the same old password)

password for cloud images?

what is the password for the "ubuntu" and/or "root" user on the cloud images?

i see this has gone unanswered for a while:
https://discourse.ubuntu.com/t/ubuntu-18-04-ova-cloud-username-password/8933

i am using the bionic ova in this case:
https://cloud-images.ubuntu.com/bionic/current/bionic-server-cloudimg-amd64.ova

here is someone using openstack that also needs password:
Default username/password for Ubuntu Cloud image?