IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [credentials]

Credentials in security context are elements that prove your identity to a system, for example a username and password or a client-side certificate. It is usually used to describe elements supplied by the authenticating client, not when the server authenticates to the client or in mutual authentication schemes.

187 questions
151
votes
12 answers

Do I need to encrypt connections inside a corporate network?

Provided that I have a decent level of physical security in the office, I monitor the physical addresses of devices connected to the network and only give VPN access to trusted parties, do I need to encrypt access to intranet resources over HTTP?…
Robert Cutajar
  • 1,461
  • 2
  • 7
  • 7
147
votes
8 answers

How should I set up emergency access to business-critical secrets in case I am "hit by a bus"?

I work as the primary developer and IT administrator for a small business. I want to ensure that business can continue even if I suddenly become unavailable for some reason. Much of what I do requires access to a number of servers, (through…
AndrewSwerlick
  • 1,489
  • 2
  • 10
  • 7
127
votes
8 answers

Why is storing passwords in version control a bad idea?

My friend just asked me: "why is it actually that bad to put various passwords directly in program's source code, when we only store it in our private Git server?" I gave him an answer that highlighted a couple of points, but felt it wasn't…
d33tah
  • 6,524
  • 8
  • 38
  • 60
115
votes
13 answers

Is it good or bad practice to allow a user to change their username?

I have looked all over online as well as this site to try to find out more information regarding the security of this, but haven't found anything. In my particular case, the product is a website, but I think this question applies for any software…
Jeff Y
  • 1,051
  • 2
  • 7
  • 9
46
votes
5 answers

Reasons to place a time limit on entering login credentials?

A service I use has a time limit (seemingly fairly short - 10-20 seconds maybe) on entering credentials at the login webpage. Attempting to login after this period gives the below message: [For security reasons, users are required to enter their…
BlueCompute
  • 550
  • 4
  • 6
39
votes
2 answers

How should an application store its credentials

Context When developing desktop applications, you will occasionally have to store credentials somewhere to be able to authenticate your application. An example of this is a Facebook app ID + secret, another one is MySQL credentials. Storing these…
Zar
  • 492
  • 1
  • 4
  • 7
30
votes
6 answers

The most secure way to handle someone forgetting to verify their account?

Suppose we send out email verification to new subscribers that where they have to click on a link to verify their account. Suppose they forget to verify it, and later try to login. Should the error message say "Your user name or password is…
Ole
  • 529
  • 5
  • 10
20
votes
3 answers

How to handle emails as usernames under GDPR?

Using emails as usernames for webapps is a convenient way to avoid the "yet another online username" problem. As such, by using this approach, the emails should be easily available in the backend to do user/pass checks. However, in the context of…
João Dias Amaro
  • 303
  • 1
  • 2
  • 5
19
votes
2 answers

How secure is the Windows Credential Manager?

I'm a Lastpass user and many times I thought about switching to the Credential Manager, for auto sync and a certain comfort with the windows environment. The only thing that I'm worried about is its security. I heard that it's quite easy for someone…
user106781
12
votes
1 answer

Why store a salt along side the hashed password?

Understand the need to protection credentials with hashes that are expensive and to use cryptographically random salts. What I would like to understand is why you would store the salt along side the hash in the database, does this not defeat the…
whoami
  • 374
  • 2
  • 14
10
votes
1 answer

Where should I store a refresh token

I'm building an oauth 2.0 protocol. I'm wondering how the refresh token works exactly. My understanding is that the use of a refresh token enable short lived access token and therefore limits the vulnerability of those access tokens. Great so…
Guig
  • 201
  • 1
  • 2
  • 4
9
votes
3 answers

Protection of eduroam credentials

Recently my educational institution officially switched over from the their own wireless network to eduroam. If I understand correctly from the FAQ, credential authentication is performed on the servers at my educational institution no matter where…
rink.attendant.6
  • 2,227
  • 4
  • 22
  • 33
9
votes
1 answer

How to read password from Windows credentials?

What is the cipher used by windows Credential Manager to generate credentials backup files (*.crd)? With a backup file from Credential Manager and the password used to created that backup file is it possible to decipher the file and read the stored…
Pedro Custódio
  • 201
  • 1
  • 2
  • 4
9
votes
4 answers

Where should a team store server credentials

Imagine we are working in a team of around 5 people. We all install new servers on a monthly base and need to find a better way of storing and sharing the server credentials (offline-location/webadress, root login, db login, ...) somewhere where the…
Preexo
  • 215
  • 2
  • 4
8
votes
2 answers

Are userid and password needed in order to pentest a website?

We are a company that has many web applications developed in ASP.NET. Our Internet service provider (Telefonica) wants to test our web sites looking for vulnerabilities. For that, they are asking us to provide them credentials (read-only access) for…
Delmonte
  • 423
  • 1
  • 4
  • 7
1
2 3
12 13