passwords – John the ripper output formatting

so I’m totally new here, just started taking a Security course…
I’m supposed to crack some passwords from an .lst file. I’ve done “john pwlist.lst > passwords.txt” which is outputting the files into my txt file… You already know this, so I’ll skip to the point. I’d like to make it such that when John is cracking the passwords encrypted with SHA224 it outputs them into the .txt file in the format {hash}:{password} – example: b13eaa5bcb49d6c7ff9106b61ea5dcc24a75835ae11183f4ab203929:go

security – How can I mitigate needing to change hundreds of Google passwords?

Google Chrome has been telling me about a security breach where passwords have been stolen from many websites and it’s telling me which of my saved passwords are at risk and that I should change them. That’s all good and well, but there are hundreds of them and it would take days of work to change them all manually (or delete the accounts). I made sure to change my passwords for sensitive accounts like ones that have to do with money, etc. but that’s not enough for Google.

Popup

I’ve heard that you should always keep passwords secure even if it’s a password for an account that a hacker couldn’t possibly do anything harmful with. As I understand it, the reasoning behind that idea is that people reuse passwords so getting a password for a harmless account could give someone access to more serious accounts. But that’s taken care of already, because all my serious accounts have unique passwords.

Google password settings

If it’s okay to leave some unimportant accounts unsecured, is there a way to flag those passwords as “safe” so that Google won’t keep bothering me to change the passwords? Alternatively, if there’s some reason I haven’t thought of that even low-impact accounts need to be secure than is there a way to automate the process of changing the passwords on hundreds of different websites?

Please note that I have been using unique passwords for new accounts for years now. The problem applies to old accounts, which each need to be managed manually. Switching from Google Chrome to a different password manager would not help because the problem is in the compromised accounts and not the password manager.

(Note that I originally asked this on Super User: https://superuser.com/questions/1629437/how-can-i-mitigate-needing-to-change-hundreds-of-google-passwords)

How can I make this C++ code to obtain passwords more efficient?

Comments kind of explain it. Thanks for helping. Backspaces character only move cursor back and don’t erase output so I need to overwrite them with ‘ ‘ to delete them.

#include <iostream>
#include <string>
using namespace std;

const string PASSWORD = "PASSWORD";
int main(int argc, char** argv) {
string userkey = "";
char c;
int keystrokes = 0;


cout<<"Enter passkey: ";
while(true){
    if(_kbhit()){
        c=_getche();
        if(c=='r'){//check if user hit enter, _getche() records enter as r
            cout<<'n';
            break;
        }   
        else if(c =='b'){//check if user typed backslash, overwrite character there
            cout<<' ';
            if(keystrokes==1){ //makes sure userkey is cleared
                userkey = "";
                keystrokes--;
                cout<<'b';
            }
            else if(keystrokes!=0){
                userkey = userkey.substr(0,userkey.length()-1);//cuts out last char of userkey
                keystrokes--;
                cout<<'b';
            }
        }
        else if (c!='b'){
            cout<<"b*";//replaces enter char with'*'
            keystrokes++;
            userkey+=c;
        }
    }
}
//cout<<userkey;
if (userkey!=PASSWORD)
    return 0;

encryption – How are passwords stored in the database of a decentralized peer to peer system?

I want to use username and password instead of public key cryptography for a decentralized peer-to-peer application, but since the passwords are stored on users’ computers, there is a possibility of being stolen. How do I store the passwords securely?

And how do I give permission safely? How can I prevent someone else from gaining permission unfairly?

passwords – In Hashcat, How to generate combinatior attacks consisting of more than two words (in lenght)?

I am trying to make a combinator attack using just one dictionary:

word1
word2
word3
word4
word5
...

And would like to try all 4-words-length permutations separated by commas:

word1,word2,word3,word4
word1,word3,word4,word2
word2,word3,word6,word1
...

magento2 – M2 Import customers with API with hashed passwords?

I can import customers with the API using /rest/all/V1/customers endpoint. I can also supply a password.

But is it possible to import a customer with a hashed password? If possible, how would I do that? To be clear, I just want to supply a hashed password in the request. It’s coming from Magento 1 and is MD5 hashed (which M2 supports).

I tried password_hash (named like the field in the table) instead, but that doesn’t work. The field stays NULL.

TL:DR

How can I import customers with hashed passwords with the API?

sql injection – How to connect to a MariaDB database after collecting data about users and passwords with a SQLI?

I’m trying to breach a dummy MariaDB database which is vulnerable to SQLI and is storing sensitive data about its users and their passwords. I’ve collected all the data I could collect, but now how am I supposed to connect to this database and tamper with it? I downloaded MySQL (MariaDB) and I was trying to connect to it by using Bash with this code:

mysql -h hostIPaddress -u username -D dbname -p

But I only get ERROR 2002 (HY000): Can't connect to MySQL server on hostIPaddress. What’s the correct procedure?

errors – Application passwords not working on localhost?

That error could happen if wp_is_application_passwords_available() returns a false, and the docs says:

By default, Application Passwords is available to all sites using SSL
or to local environments. Use
‘wp_is_application_passwords_available’
to adjust its availability.

So, to enable the Application Passwords:

  • Enable SSL on your localhost,

  • Or define the WP_ENVIRONMENT_TYPE and set its value to local,

  • Or use the wp_is_application_passwords_available hook like so:

    add_filter( 'wp_is_application_passwords_available', '__return_true' );
    

email – What characters/length are supported in Mail.app IMAP passwords?

I use a password manager and created the password LX7mQW9Tw^V0$Ef2Ag#v*

    (* don't worry, that's not my password any more, keep reading)

My DNS / email provider accepted it and I could use it successfully to log in on their webmail app.

I followed their document on configuring (basic TLS-wrapped IMAP & SMTP) in Mail.app and kept running into trouble. Eventually, while verifying my password I got the bright idea to change it to something shorter and with less-special special characters. Finally, as the climax to about an hour of troubleshooting, it worked!

Now I want to add a note for account setup to help my people avoid this limitation in, apparently, Mail.app (or not, but that’s all the evidence I have so far).

So back to the question in the topic: Are there known limitations as to what characters or length Mail.app will support for IMAP accounts?

Thank you!

Getting Nerdy With Your Passwords: the Bitwarden Command Line Interface

Bitwarden is a cross-platform password manager that synchronizes between platforms (desktop, phone, tablet, etc.) and browsers.  Unlike many products, you can fully self-host Bitwarden.

You might enjoy reading our earlier piece on self-hosted Bitwarden.

Most people using Bitwarden need their passwords to fill in web sites and other online services.  But what if you want to access your passwords on the command line, perhaps because you need server access credentials?  Can do!

The command-line client is called ‘bw’.  To install it, you need to setup the Node Package Manager:

apt install npm

Next, install the Bitwarden cli:

npm install -g @bitwarden/cli

By default, bw will try to talk to bitwarden.com (the official Bitwarden server).  But if you’re self-hosted, you can configure it to talk to your server.

Type this command:

raindog308@client:~$ bw config server bitwarden.lowend.party
Saved setting `config`.

Now if you look in your home directory’s .config folder, you’ll see a “Bitwarden CLI” subdirectory.  In the data.json file in that directory, you’ll see that bw is configured for your server.

raindog308@client:~$ cat .config/Bitwarden CLI/data.json 
{
  "installedVersion": "1.11.0",
  "environmentUrls": {
    "base": "https://bitwarden.lowend.party",
    "api": null,
    "identity": null,
    "webVault": null,
    "icons": null,
    "notifications": null,
    "events": null,
    "enterprise": null
  }
}

If you’re using the official bitwarden.com servers, this step is unnecessary.

Let’s login to our server.

raindog308@client:~$ bw login
? Email address: raindog308@raindog308.com
? Master password: (hidden)
You are logged in!

To unlock your vault, set your session key to the `BW_SESSION` environment variable. ex:
$ export BW_SESSION="xxxXXXxxx=="

$ env:BW_SESSION="xxxXXXxxx=="

You can also pass the session key to any command with the `--session` option. ex:
$ bw list items --session xxxXXXxxx==

You can take that export statement and execute it:

$ export BW_SESSION="xxxXXXxxx=="

Now you can use various bw commands.  You can also put that command in your .bash_profile and it will be executed every time you login, but be aware of the security tradeoffs.

Let’s see what items we have in our vault.  They’ll come across as easily parsable json:

raindog308@client:~$ bw list items --pretty
(
  {
    "object": "item",
    "id": "2606ba51-8f15-42a8-a380-abe90177aa66",
    "organizationId": null,
    "folderId": null,
    "type": 1,
    "name": "lowendtalk.com",
    "notes": null,
    "favorite": false,
    "login": {
      "uris": (
        {
          "match": null,
          "uri": "https://www.lowendtalk.com"
        }
      ),
      "username": "raindog308",
      "password": "my-secret-LET-password",
      "totp": null,
      "passwordRevisionDate": null
      },
    "collectionIds": (),
    "revisionDate": "2020-06-29T22:47:45.373Z"
  }
)

If you only want one password:

raindog308@client:~$ bw get password lowendtalk.com
my-secret-LET-password

The CLI many other useful commands.  For example, you get search:

bw list items --search lowend --pretty

If you install the jq package via

apt install jq

You can then parse that easily:

bw get item lowendtalk.com | jq '.login.password'

You can generate passwords:

raindog308@client:~$ bw generate -ulns --length 25
Vyd6F*qhck@8*X4cFh!v9@D2r

In this example, the “-ulns” means “include upper, lower, numbers, symbols”.

The command-line docs outline many other things you can do with bw, or type bw –help for a quick overview.

 

raindog308

I’m Andrew, techno polymath and long-time LowEndTalk community Moderator. My technical interests include all things Unix, perl, python, shell scripting, and relational database systems. I enjoy writing technical articles here on LowEndBox to help people get more out of their VPSes.