I need to trim password from login form. That's it. What is the simplest way?
Related
After saving the user's data in my Firestore database, the password is not hidden (I don't need to encrypt it) just to hide it for example:
email: xx#gmail.com password:*******
the password is not hidden
The password field in your document is a regular field of type String. Naming a field "password" doesn't provide any benefits at all. So there is no way you can hide that.
As also #Fogmeister mentioned in his comment, you just should never store the credentials in the way you did, as storing passwords in cleartext is one of the worst security risks you can inflict on your users.
If you are already using authentication, simply omit the addition of the credentials in the database.
I'm using asp.net membership for users accounts, user password is encrypted and stored on to the sql database as a user registers , the problem I'm having it when the user forgets the password I can't get it right when trying to retrieve it from the database, I have no idea how I can reverse the encryption.I'd appreciate the help.
You can't. By default the passwords are saved as a salted SHA1 hash, you can't "decrypt" such a hash.
It would be bad practice to save passwords in a fashion that allows you to view them, no matter which algorithm you would be using for that. Just create some logic to enable a user to reset his or her password, instead of trying to retrieve the original password.
I am using Spring Security 3.2.5. I use ActiveDirectoryLdapAuthenticationProvider for my authentication provider. But I want to check my username and password before authenticating through Active Directory.
For example, Before authentication process starts via Active Directory, I want to check that username and password are not equal and there is no space in them or their size is not smaller than special size.
Update:
Spring Security does not allow empty username and/or password and raise this exception:
Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials.
I have looking around in different filters and I think I should do this checking in UsernamePasswordAuthenticationFilter but I am not sure and I don't know how to do it. I highly appreciate your help.
Thanks in advance.
Best Regards,
/Samaneh
By default Spring Security should error if the user attempts to submit an empty username or password. As far as testing password criteria prior to LDAP authentication attempt, that seems inherently insecure. By testing a precondition you may give an attacker insight as to what the password may be. Additionally, short circuiting the LDAP binding attempt would effectively circumvent any maximum invalid attempt threshold configured in Active Directory.
Simply put, when it comes to authentication, we don't want to give the user any specific details other than the username and password you provided were wrong.
I need to decrypt the password to send in email. Can anyone please guide me that how I can decrypt the "Spring Security" password in grails?
Thanks
Smac
Passwords aren't encrypted, implying that they can be decrypted, they're hashed. Hashing takes various inputs and generates a fixed-length output, so the process is lossy since a large original input cannot be stored completely within a small hash output.
But that's ok for passwords. Rather than decrypting (or "de-hashing") the stored password to see if a login attempt is valid, you hash the password from the login page and compare it to the stored hash value. These two don't have to be the same, and for example when using Bcrypt they won't be the same value, but the hash algorithm implementation will have logic to determine if two hashes are equivalent.
If you store passwords in a way that the original value can be retrieved, you might as well store them in cleartext. But that's crazy since then anyone with access to that table can see them.
As was mentioned in the comments, never send cleartext passwords by email. Instead configure a workflow where your users can reset their password. The http://grails.org/plugin/spring-security-ui plugin has this as a feature. If you don't want to use the whole plugin, feel free to steal the code for this feature. Basically the workflow is that a user requests a reset email for their username. Only ask for username, but not their email; use the one you already have. Generate a unique token and store it, and use it in the link in the email. When the user clicks the link you can validate the token and know that it wasn't just any arbitrary request from a hacker, but that it's from the user since you use their email address to verify their identity.
1) You should be using one way hashing algorithm for encrypting password Which can't be decrypted back. (Otherwise, its security threat for the application)
2) Text password should never be sent in emails. Infact, you should use workflow like sending the reset/forgot password link in the email.(The links can have UUId appended as a parameter for any new reset/forgot password request which is enough to identify).
Im using an asp.net mvc 3 project. I want to be able to email a users password to them if they submit their username in RecoverPassword page.
How can i do that?
Thanks
Its best to store the password in your database as a hash so it can never be reversed. If they forget their password, best thing to do is let them reset it, rather than telling them what the old one is.
Don't do that. Storing passwords in plain text is insecure.