Stack Overflow
Stack Overflow

Questions tagged [password-storage]

Password storage is often a tricky issue - where do you keep it so that it is well protected? This tag deals with problems relating to the management of user credentials in a system.

Password storage is often a tricky issue - where do you keep it so that it is well protected? This tag deals with problems relating to the management of user credentials in a system. Typically, this would involve some sort of encryption or manipulation of permissions so that not everyone can see the password of a given user.

83 questions
1343
votes
26 answers

How should I ethically approach user password storage for later plaintext retrieval?

As I continue to build more and more websites and web applications I am often asked to store user's passwords in a way that they can be retrieved if/when the user has an issue (either to email a forgotten password link, walk them through over the…
Shane
  • 16,499
  • 4
  • 25
  • 46
42
votes
8 answers

Sequelize: don't return password

I'm using Sequelize to do a DB find for a user record, and I want the default behavior of the model to not return the password field for that record. The password field is a hash but I still don't want to return it. I have several options that will…
Tyler
  • 10,503
  • 9
  • 57
  • 95
27
votes
2 answers

SALT and HASH using pbkdf2

I am using the following methods to create a salted and hashed password from the crypto lib in nodejs: crypto.randomBytes(size, [callback]) crypto.pbkdf2(password, salt, iterations, keylen, callback) For the randomBytes call (creating the SALT)…
lostintranslation
  • 20,811
  • 42
  • 129
  • 220
25
votes
3 answers

What is the best practice for securely storing passwords in Java

What would be the recommended way for storing passwords in a Java desktop application? I want the user to have the ability to enter the credencials only once and not be prompted again. On personal projects I've been using the Preferences API, but…
Rui Vieira
  • 5,025
  • 5
  • 39
  • 53
23
votes
9 answers

How do I create and store md5 passwords in mysql

Probably a very newbie question but, Ive been reading around and have found some difficulty in understanding the creation and storage of passwords. From what i've read md5/hash passwords are the best ways to store them in a database. However, how…
maestro416
  • 834
  • 2
  • 15
  • 30
19
votes
6 answers

Password storage in source control

We store all our application and db passwords in plain text in source control. We do this as our build/deploy process generates required configuration files and also does actual deploys that require these passwords (ie: running sql against a…
Marcus Leon
  • 50,921
  • 112
  • 279
  • 413
19
votes
2 answers

Should you use AccountManager for storing Usernames and Passwords for an Android app?

I would like to know if one should implement AccountManager to save user credentials such as username, email, passwords etc. I can't find a good reason to use it myself. I don't want other applications to have access to the Accounts and I don't…
HGPB
  • 4,185
  • 7
  • 47
  • 83
18
votes
2 answers

Is there a standard to store username and password in WP7 applications?

I would like to ask if there is a standard to store username and password in a Windows Phone application. I am working on a project that validates the user on every request that is called. So, I want to store the username and password. Maybe even…
GeekPeek
  • 1,233
  • 1
  • 16
  • 31
17
votes
1 answer

What Unicode normalization (and other processing) is appropriate for passwords when hashing?

If I accept full Unicode for passwords, how should I normalize the string before passing it to the hash function? Goals Without normalization, if someone sets their password to "mañana" (ma\u00F1ana) on one computer and tries to log in with…
treat your mods well
  • 2,556
  • 1
  • 23
  • 33
12
votes
5 answers

Where to store db passwords when using Windows .NET or ASP.NET applications

I have a scenario that has been troubling me for years. If you have to connect to a database or other service (like a web service) using a username and password, where would be the safest place to store this information if you are connecting through…
Cynical Coder
  • 121
  • 1
  • 3
9
votes
1 answer

jBCrypt alternative? Officially threadsafe, with a bigger community

To hash passwords (one-way), it looks like bcrypt is the best. I am about to start using jBCrypt, but I have a few worries: No mailing list. Very low activity overall. Bug tracker has only ever had 1 issue, and this 1 issue has not received any…
Nicolas Raoul
  • 55,003
  • 52
  • 197
  • 338
9
votes
4 answers

php salt my passwords per user sha512 - am I doing this right?

I'm trying to correctly do a per user and site wide salt for my passwords. Here's what I've got: require('../../salt.php'); //this is above the web root and provides $salt variable $pw = mysql_real_escape_string($_POST['pw']); $per_user_salt =…
Andrew Samuelsen
  • 4,885
  • 8
  • 43
  • 65
9
votes
4 answers

How to not hardcode passwords?

In my last question "Portable database for storing secrets" the best answer until now tell to use sqlite-crypt. Reading sqlite-crypt docs, the new param for open the database is the pass-phrase. Of course, I don't want hardcode the password, so I…
Click Ok
  • 8,402
  • 16
  • 66
  • 98
8
votes
3 answers

For emergencies: share part of pass with 4 people, decryptable with 2 persons

Let's say I have a password: AAABBBCCCDDD I could easily give person A the first part (AAA), person B the second part and so on. But is there an option any two of the four people can decrypt/form the password from a part of text I give them?…
Karlo
  • 349
  • 1
  • 4
  • 20
8
votes
2 answers

Password max length with bcrypt, blowfish

My question derives from this How to hash long passwords (>72 characters) with blowfish I am using bcrypt(blowfish) to hash the passwords. So, as I found out from this…
dav
  • 7,757
  • 10
  • 71
  • 126
1
2 3 4 5 6