Best practice for hashing passwords – SHA256 or SHA512?

Switching to SHA512 will hardly make your website more secure. You should not write your own password hashing function. Instead, use an existing implementation. SHA256 and SHA512 are message digests, they were never meant to be password-hashing (or key-derivation) functions. (Although a message digest could be used a building block for a KDF, such as … Read more

What is md5() for?

You should have an encryption like md5 or sha512. You should also have two different salts, a static salt (written by you) and then also a unique salt for that specific password. Some sample code (e.g. registration.php): $unique_salt = hash(‘md5’, microtime()); $password = hash(‘md5’, $_POST[‘password’].’raNdoMStAticSaltHere’.$unique_salt); Now you have a static salt, which is valid for … Read more

Enforcing password strength requirements with django.contrib.auth.views.password_change

I also went with a custom form for this. In urls.py specify your custom form: (r’^change_password/$’, ‘django.contrib.auth.views.password_change’, {‘password_change_form’: ValidatingPasswordChangeForm}), Inherit from PasswordChangeForm and implement validation: from django import forms from django.contrib import auth class ValidatingPasswordChangeForm(auth.forms.PasswordChangeForm): MIN_LENGTH = 8 def clean_new_password1(self): password1 = self.cleaned_data.get(‘new_password1’) # At least MIN_LENGTH long if len(password1) < self.MIN_LENGTH: raise forms.ValidationError(“The new … Read more

Should server/database config files, including passwords, be stored in source control?

There’s no single “silver bullet” answer here and it would all greatly depend on details. First of all, I consider best practice to separate all source code from configuration in separate repository. So, source code remains source code, but it’s installation or deployment (with configuration, passwords, etc) is the whole other thing. This way you’ll … Read more

Masking password input from the console : Java

A full example ?. Run this code : (NB: This example is best run in the console and not from within an IDE, since the System.console() method might return null in that case.) import java.io.Console; public class Main { public void passwordExample() { Console console = System.console(); if (console == null) { System.out.println(“Couldn’t get Console … Read more

Changing the symbols shown in a HTML password field

Create your own font and use @font-face and font-family (and font-size) for input[type=”password”]. It should help to solve your problem. But… you must create font with replaced bullet and asterisk character. All character numbers in font may represent the same character. Use google to find free program to edit vector fonts. Never say “it is … Read more

Base64 Authentication Python

The requests library has Basic Auth support and will encode it for you automatically. You can test it out by running the following in a python repl from requests.auth import HTTPBasicAuth r = requests.post(api_URL, auth=HTTPBasicAuth(‘user’, ‘pass’), data=payload) You can confirm this encoding by typing the following. r.request.headers[‘Authorization’] outputs: u’Basic c2RhZG1pbmlzdHJhdG9yOiFTRG0wMDY4′

Given a linux username and a password how can I test if it is a valid account? [closed]

You can validate that a given password is correct for a given username using the shadow file. On most modern distributions, the hashed passwords are stored in the shadow file /etc/shadow (which is only readable by root). As root, pull the line from the shadow file for the given user like so: cat /etc/shadow | … Read more