Questions tagged [passwords]

Specific to the security of passwords: hashing, entropy, cracking, resets, lockouts, etc.

Passwords are a secret word or string used to protect a resource by preventing access except to those users who hold the password. Questions tagged [password] are likely to refer to the strength of passwords, entropy, protection schemes such as hashing, appropriateness of password length and complexity, lockout systems, password self-reset functionality etc

Hashes for passwords

You should never store passwords in the clear.

As discussed at How to securely hash passwords and Password security: past, present, future, the following key derivation function algorithms (and not fast or unsalted raw hash functions), are recommended for storing passwords for later verification:

3907 questions

1268

votes

22 answers

XKCD #936: Short complex password, or long dictionary passphrase?

How accurate is this XKCD comic from August 10, 2011? I've always been an advocate of long rather than complex passwords, but most security people (at least the ones that I've talked to) are against me on that one. However, XKCD's analysis seems…

passwords entropy usability

asked Aug 10 '11 at 21:38

Billy ONeal

2,688
4
15
15

926

votes

11 answers

How to securely hash passwords?

If I hash passwords before storing them in my database, is that sufficient to prevent them being recovered by anyone? I should point out that this relates only to retrieval directly from the database, and not any other type of attack, such as…

appsec cryptography passwords hash

asked Nov 12 '10 at 12:36

AviD

72,138
22
136
218

862

votes

14 answers

What technical reasons are there to have low maximum password lengths?

I have always wondered why so many websites have very firm restrictions on password length (exactly 8 characters, up to 8 characters, etc). These tend to be banks or other sites where I actually care about their security. I understand most people…

passwords password-policy

asked Mar 30 '13 at 21:30

enderland

7,931
3
12
14

658

votes

4 answers

Do any security experts recommend bcrypt for password storage?

On the surface bcrypt, an 11 year old security algorithm designed for hashing passwords by Niels Provos and David Mazieres, which is based on the initialization function used in the NIST approved blowfish algorithm seems almost too good to be true.…

passwords cryptography hash bcrypt

asked Sep 16 '10 at 00:05

Sam Saffron

6,665
3
14
11

618

votes

23 answers

How does changing your password every 90 days increase security?

Where I work I'm forced to change my password every 90 days. This security measure has been in place in many organizations for as long as I can remember. Is there a specific security vulnerability or attack that this is designed to counter, or are…

authentication passwords password-management

asked Jun 22 '11 at 13:36

Bill the Lizard

6,731
4
19
28

599

votes

7 answers

How to store salt?

If you expect to store user password securely, you need to do at least the following: $pwd=hash(hash($password) + salt) Then, you store $pwd in your system instead of the real password. I have seen some cases where $pwd contains the salt itself. I…

passwords hash salt

asked Jul 20 '12 at 06:28

George

6,177
3
14
10

543

votes

11 answers

Is my developer's home-brew password security right or wrong, and why?

A developer, let's call him 'Dave', insists on using home-brew scripts for password security. See Dave's proposal below. His team spent months adopting an industry standard protocol using Bcrypt. The software and methods in that protocol are not…

passwords hash bcrypt algorithm

asked Dec 18 '12 at 14:51

nallenscott

4,699
3
12
8

468

votes

13 answers

Are passwords stored in memory safe?

I just realized that, in any language, when you save a password in a variable, it is stored as plain text in the memory. I think the OS does its job and forbids processes from accessing each other's allocated memory. But I also think this is somehow…

passwords operating-systems memory

asked Jan 14 '13 at 19:30

Antoine Pinsard

4,597
4
15
27

296

votes

10 answers

Why is Gbt3fC79ZmMEFUFJ a weak password?

On https://passwordsgenerator.net/, it says Examples of weak passwords: qwert12345, Gbt3fC79ZmMEFUFJ, 1234567890, 987654321, nortonpassword The first, third, and fourth examples are obviously weak. I can't, however, see what's weak about the…

passwords

asked Jan 10 '19 at 16:39

EuRBamarth

2,261
2
6
6

265

votes

7 answers

Password Hashing: add salt + pepper or is salt enough?

Please Note: I'm aware that the proper method for secure password storage hashing is either scrypt or bcrypt. This question isn't for implementation in actual software, it's for my own understanding. Related How to apply a pepper correctly to…

cryptography passwords hash salt hmac

asked Apr 22 '11 at 09:53

Jacco

7,402
4
32
53

262

votes

4 answers

How does Google Authenticator work?

Google Authenticator is an alternative to SMS for 2Step verification, installing an app on Android where the codes will be sent. It works without any connectivity; it even works on plane mode. This is what I don't get. How is it possible that it…

authentication passwords cryptography google one-time-password

asked May 01 '13 at 15:24

The Illusive Man

10,487
16
56
88

256

votes

8 answers

Why are salted hashes more secure for password storage?

I know there are many discussions on salted hashes, and I understand that the purpose is to make it impossible to build a rainbow table of all possible hashes (generally up to 7 characters). My understanding is that the random salted values are…

passwords cryptography hash salt rainbow-table

asked Feb 20 '14 at 20:58

Tsyras

2,631
3
11
7

254

votes

2 answers

Can ads on a page read my password?

Disclaimer: I have minimal web-dev/security knowledge so please answer as if talking to a "layman." I've heard that web-advertisements need to be able to run their own JavaScript so that they can verify they're being viewed by "real users." As this…

passwords web-application

asked Aug 06 '19 at 15:54

scohe001

1,035
2
7
13

247

votes

18 answers

Passwords being sent in clear text due to users' mistake in typing it in the username field

Upon reviewing the Logs generated by different SIEMs (Splunk, HP Logger Trial and the AlienVault platform’s SIEM) I noticed that for some reason quite a few users tend to make the mistake of typing their passwords in the username field, either in…

passwords authentication logging siem

asked Mar 05 '13 at 16:09

Lex

4,247
4
19
27

237

votes

10 answers

Is "the oft-cited XKCD scheme [...] no longer good advice"?

I was stumbling around and happened onto this essay by Bruce Schneier claiming that the XKCD password scheme was effectively dead. Modern password crackers combine different words from their dictionaries: [...] This is why the oft-cited XKCD scheme…

passwords

asked Jul 10 '14 at 05:16

Nick T

3,382
4
21
28

2 3

…

99 100 Next