how can I make a login form that will remember the user so that he does not have to log in next time.
Some more information would be nice but if you want to use a database for this then you would have to create a entry for the user information last entered.
And then on reopening the programm you would check if there are any entrys and if yes load it.
But I think that writing the login information to a file on you pc would be a lot easier. So you run the steps from above just writing to a file instead of a database.
I am not sure how you would make this secure because you can't really encrypt the password because you would need a password or key of some type and that password or key would be easy to find in the source code especially in python. It would be harder to find in other compiler based programming languages but also somewhere. And if you would use a database you would have a password for that but that would also lay on the hardrive if not encrypted otherwise but there we are where we started.
So as mentioned above a database would be quite useless for a task like this because it doesn't improve anything and is a hassle for beginners to setup.
Related
We have a high amount of user and I need to update the password and the current process is going to Administration manager, then search for the user and change the password, so I want to know if there is a way to do it on a batch using a script that call an external file to get the password and user that I need to change I mean like having a list and then export it to spotfire
unfortunately I can't find a way to batch update users in Spotfire Server. if you needed to import a bunch of new users, you could use the command line interface, but it doesn't look like the import-users command will "overwrite" existing users (it should report an error when trying to add a new user who already exists).
I believe the password field in the Spotfire database is Base64 encoded, so you could theoretically run a database update query but this is really dangerous and may wreck your database. if you try anything like this, be sure to work in a test environment and be doubly sure that you have backups!
my recommendation is to use something like LDAP. the Spotfire database is not really designed to administer large number of users, or at least it doesn't seem that way from an administrator's perspective.
I am writing selenium (seleno) scripts to test a c# MVC web application which requires users to log in. At the moment the username and password are hard-coded into the script but I need to make sure the password is protected before I can commit the scripts to our code repository.
The scripts will be run autonomously through CI (TeamCity) so the password must be available to the program without any human input.
In terms of security requirements, the password is common knowledge amongst devs but it is also bundled with the software that is deployed to clients (which obviously opens a back door to anyone in possession of the password - for better or for worse). So if someone gains access to our codebase we need to be sure that they cant get at the password. The password itself is stored (salted) in a sqlite database.
If I pass an encrypted value into the program and then decrypt it will that protect us? Im not too bothered about the password being in memory on the server where the test runs as that server should be securely locked down and will only exist for the duration of the tests.
The only other thing I can think of is to insert a temp password into the sqlite database once TeamCity has spun up the temp server instance and before the tests are run. Not sure how to achieve that though.
I would have thought this would be a really common problem with selenium but I havent as yet been able to find a definitive solution.
The solution is to set your passwords at runtime. I would suggest environment variables. Then they are not in your codebase and instead somebody would need to hack into where you run your tests from.
As SiKing suggests, the solution is to use a temporary, test specific password which wont make it into production code. Simples.
One approach that I have used is to execute javascript to evaluate things:
<td>storeEval</td>
<td>prompt("What password")</td>
<td>secretPassword</td>
That only really works for user run stuff via webdriver though.
You could setup some kind of small ajax request at the start of the test to http://localhost/credentials.json or similar, which is set up on your CI instance (but not available anywhere else).
Add a password manager extension like bitwarden,keepass etc.., and configure it to auto-login... give 2-3 sec in code to auto-login
I am currently working on a java search project that will be distributed to the clients' local server, the project contains some valuable data that we hope it cannot be accessed directly on the machine, but can only be accessed from the project services/apis. The data will be updated on a daily basis and need to be avaliable for query 24/7.
I am thinking of eCryptFs, but after some test, it seems that once the encrypted data is mounted under the service user, say 'root1', as I have to keep the encrypted data in the mounted state to support query, all the other login users can access the de-crypted data without password. Is there anyway to support my scenario? Thanks.
If your users don't have root access, you can simply store the encryption key in a file and deny read access to other users.
If your users do have root access, there is nothing you can do.
EDIT:
Under most circumstances, someone with root account can do anything that the other users can do. So, even if you did get per user r/w permissions on a file but only for a certain user (which is very possible), it would be rather pointless. (Someone with sudo/root access could just run sudo su USER, where USER is the account with the r/w permissions. I think a better way to go about this is to look at options that users do not have control over.
The first thing that came to mind was compiled programs. While they are not really meant for holding secure information, you could compile a simple program to output a little bit of the information after a time delay (to prevent them from just running it continuously and then compiling all of the data they get from it.) Actually, modifying your Java program might be easier; just have it store the information as an enormous string or something. :D
These open source Java obfuscators will make it harder (but certainly not impossible) to reverse engineer your program and, along with it, the data inside.
A more secure option would be to write a C program, compile it, and have it output information (after a time delay) that the JAVA file can then manage. In order to make it harder to decompile, you could add some encryption methods to the string so if the Decompiler messes up on any part of it, it's still worthless information to them.
Final verdict: Nothing is really 100% secure when it is stored on someone else's computer(s) but, then again, neither is it 100% secure on your own server. I would suggest looking into other options, but if you have no other option and you have legal protection on the information, this might work for you.
I have a doubt concerning how to store a password for usage in my application. I need to encrypt/decrypt data on the fly, so the password will need to be somewhere. Options would be to have it hard-coded in my app or load it from a file.
I want to encrypt a license file for an application and one of the security steps involves the app being able to decrypt the license (other steps follow after). The password is never know to the user and only to me as e really doesn't need it!
What I am concerned is with hackers going through my code and retrieving the password that I have stored there and use it to hack the license breaking the first security barrier.
At this point I am not considering code obfuscation (eventually I will), so this is an issue.
I know that any solution that stores passwords is a security hazard but there's no way around it!
I considered assembling the password from multiple pieces before really needing it, but at some point the password is complete so a debugger and a well place breakpoint is all that is needed.
What approaches do you guys(and galls), use when you need to store your passwords hard-coded in your app?
Cheers
My personal opinion is the same as GregS above: it is a waste of time. The application will be pirated, no matter how much you try to prevent it. However...
Your best bet is to cut down on casual-piracy.
Consider that you have two classes of users. The normal user and the pirate. The pirate will go to great lengths to crack your application. The normal user just wants to use your application to get something done. You can't do anything about the pirate.
A normal user isn't going to know anything about cracking code ("uh...what's a hex editor?"). If it is easier for this type of person to buy the application than it is to pirate it, then they are more likely to buy it.
It looks like the solutions you have already considered will be effective against the normal user. And that's about all that you can do.
Decide now how much time/effort you want to spend on preventing piracy. If someone is determined, they're probably going to get your application to work anyway.
I know you don't want to hear it, but it's a waste of time, and if your app needs a hardcoded password then that is a flaw.
I don't know that there is any approach to solving this problem that would deter a hacker in any meaningful way. Keeping the secret a secret is one of cryptography's great problems.
An approach I have done in the past was to generate an unique ID during the install, it would get the HDD and MCU's SN and use it in a complex structure, then the user will send this number for our automated system and we reply back with another block of that, the app will now decrypt and compare this data on the fly during the use.
Yes I works but it still have the harded password, we have some layers for protection (ie. there are some techniques that prevents a mid-level hacker to understand our security system).
I would just recommend you to do a very complex system and try to hack it on your own, see if disassembly can lead to an easy path. Add some random calls to random subroutines, make it very alleatory, try to fake the use of registry keys and global variables, turn the hacker life in a hell so he will eventually give up.
I'm wondering what people use for storing their username, passwords, urls, IPs, domains, and any other login information they need to both do their job and in general life. It might also store serial numbers or similar data.
I find that I'm registering for probably 5 sites a month, paying some piece of software, just setting up a new hosting account or ssh access to something. By the end of the month, I've both forgot what those sites were and what my username and/or password is--not that I use a completely different password every time. Next month when I go back, I end up using the forgot password and then changing the password to something that I'll forget.
I'm also thinking it needs to be mobile, probably browser based (not a USB key or other protable media) and very secure.
I'm thinking there are maybe 2 different solutions: one for a company where everyone in the company can access it and one where it's only you.
What does everyone else use to store their authentication information?
Edit: I'm looking for something to store more than just a username and password. It needs to store IPs or domains for example for SSH access. It also needs to have the ability to put some kind of comment in or other information because, for example, the site maybe limited to 1 IP.
I use KeePass. It has versions for various platforms (KeePassX for Linux, for example) and has been quite stable for me. No lost data yet, so I haven't had to resort to my backups :)
I use PasswordMaker and it's fantastic Mozilla Firefox add-on. All passwords are generated from a website URL and your username. You enter a master password which then essentially "unlocks" all your passwords so you really only have to remember one password but can have a unique password for each website you have an account on.
PasswordMaker was also recommended by Jim McKeeth in Stack Overflow Podcast #9.
Note also that there are many other ways to integrate with PasswordMaker besides the Firefox add-on. For example, they have an online version that can be used essentially anywhere as long.
I use a certain string of characters in all my passwords, then for each new site I register on I append another string of characters which can be determined by looking at the site's name or URL. All I have to remember is the base password and the algorithm for determining the rest of the password.
Try Password Gorilla and use GetDropBox.com to keep it synced across machines. I think it was recommended by the developers of this site.
I keep everything always with me on my Treo, with SplashId. (Handles custom fields, too)
I have two different solutions:
For work related passwords (login to our webbservers and mysql users and logins), we use a shared google doc. It's not ideal, but it's better than having just one password (we did when I started), and it's better than being locked out if one guy gets run over by a bus.
My private solution is a variant of Jeremy Rutens solution, an algo that gives a couple of chars based on the url/hostname and another algo for the second half of the password (which usually gives me two or three choices when I've forgotten the pass - but that takes just a few minutes extra).
Here's a simple solution that I think fits your requirements.
Store all your usernames, passwords, URLs, IPs, whatever in a plain text file. Yes, really. You may even want to have one text file for usernames & passwords, another for URLs, another for IPs ... whatever works for you.
Alternatively, if you'll have MS Office, Open Office, Star Office, or some other compatible office program available at every site, a spreadsheet works splendidly for this type of thing.
Zip this (these) file(s) up and apply a good password.
Attach this zip file to an e-mail you keep in your favorite Web-based e-mail box. To keep it easy to find, you might want to create a separate folder, or just create a separate e-mail account just for this purpose.
That's it. Assuming you can rely on have a Web browser with access to your Web mail, an unzip utility, and a text file reader (or better yet, spreadsheet reader), you can access your information securely from anywhere.
I use Password Safe. You can store, organize and retrieve all the essentials in a snap. It also has a handy "generate random password" that I use more and more, especially for those once-in-a-while-never-worth-remembering-the-password sites.
http://passwordsafe.sourceforge.net/
I store my passwords in text files on an encrypted partition.
Like claudiu I use a several tier system and my memory, I have a good handful of passwords that I know all from memory, and depending on what type of stuff I'm using depends on what passwords I use. Effectively I have two or three passwords for each of my "tier" catagories. Sometimes I have to try several of them if it's a site I don't use often until I get in. Though typically I'm very good at remembering which one's I uses on which sites.
Clipperz looks like a good solution. It allows you to store pretty much anything you want and encrypts all of your data with your password. It also includes an export feature and offline read-only version. And it's free!
Keepassc (https://github.com/raymontag/keepassc) on my Linux machines, with the database file stored within Dropbox so it can be synced with my Android phone (KeepassDroid) and Windows machines (Keepass). Works great!
Use the same password for everything. Give it out to strangers.
Just kidding. I use three tiers of passwords - the lowest one is really easy to remember, and applies to all accounts whose security I don't care about. I just use it for most things like this.
For the other stuff, I don't find it to be such sensitive information, so I'll store them in a large "info.txt" text file. I'll put a password hint next to it, such as "the bad one", or "double z" for example, if I have a password I use a lot that has two zs in it. I just use standard CTRL+F search to lookup the info.