in resource.cfg i'm storing the password for mysql nagios user.
How can I encrypt the password in resource.cfg ?
You can't, that is why your resource.cfg file should have permissions settings that make it unreadable by anyone except by your nagios user.
Why are you storing the password in there? You shouldn't have to unless you're doing something unique.
Related
I have ruby app with mysql database which has password stored.I don't know ruby but from internet what i found is that ruby stores password in bicrypt format.
I created one user with password : Password123.
What i printed in console was its encrypted password.
Tasks:
Now i am creating a django app which needs to be connected to same database.I need to verify password from same database.That is i used bicrypt algorithm in django dummy app and created user with same password : Password123.
But encrypted text from ruby app and django app are different.It needs to be same for verification from django app.
How to do this? Why bicrypt output of both language different.
I am going to assume you mean bcrypt. I don't know what bicrypt is. The 'encrypted' password is probably salted to protect against rainbow attacks, which is why they have different 'encrypted' values.
Why do you need the 'encrypted' password to be the same on both systems? Does using 'Password123' on either system not work?
I'm using asp.net membership for users accounts, user password is encrypted and stored on to the sql database as a user registers , the problem I'm having it when the user forgets the password I can't get it right when trying to retrieve it from the database, I have no idea how I can reverse the encryption.I'd appreciate the help.
You can't. By default the passwords are saved as a salted SHA1 hash, you can't "decrypt" such a hash.
It would be bad practice to save passwords in a fashion that allows you to view them, no matter which algorithm you would be using for that. Just create some logic to enable a user to reset his or her password, instead of trying to retrieve the original password.
I need to encrypt an NSString before sending to a WebAPI.
What are the best practices for this? I've been looking at different articles but haven't found what I'm looking for.
The whole hash/salt with date thing seems like the best approach as of this writing.
ANyone know how to do this in iOS?
Then, do I just store it in the DB as varchar(50)?
And for subsequent logins just do a text compare?
Thanks all.
Encrypt and authenticate the connection to the server with HTTPS. This counteracts eavesdropping and MITM attacks. Be sure to verify server certificates on the client side.
On the server, hash the password with a randomly generated salt.
Store the hash and the salt in a database. Yes, you can use something like a text or varchar(50) to store the hash and salt.
This has been covered in a few other questions before: see Best way to store password in database
My User.rb has a before_save callback that encrypts the user's password, it does:
def set_password
self.salt = ...
self.encrypted_password = ...
end
Now when I create my user in the seed, how do I encrypt the password w/o duplicating my code?
I'm concerned about the same issue. In my case, I want to seed the database with an "admin" account so that a user doesn't try to create an account by this name. Even if I were to salt and encrypt the password, I have to seed the database with this information. It'll have to go into the seeds.rb file and if my development or server hard drive is compromised, someone could potentially figure out the password with the salt and encrypted password. If you're ok with that, then you can just choose a salt and encrypt your password based on that, then put the encrypted password in your seeds file.
If this is going into production, you may want to consider seeding these accounts with random salts, random passwords and a fixed email. No one will be able to access these accounts, but you'll be able to reset the user password. I'm assuming you have some sort of password reset system implemented.
This sounds like a pain, I know, but I can't think of another way that's as secure.
Usually you grab the already encrypted password from the database and convert it into a seed. Don't re-implement it, simply duplicate the required value.
How disable encrypting password in devise?
DISCLAIMER: While it certainly is not generally wise to store passwords unencrypted, there could exist cases in which the developer would want to do this. Hopefully the developer is conscientious enough to make sure that in making this generally poor security decision for their app, they are not endangering personal and or identifying info of their users. You might imagine a case where the app's only logged information is user interaction with the system as in some kind of study of user interaction.
tl;dr One can disable encryption in devise by creating a custom encryptor
and just having it return the password directly.
I agree with Shingara. You should never store people's passwords in an manner that's recoverable devise stores passwords hashed (not encrypted), they're both unreadable formats, but the difference is that you can't reverse the hashing.
If you're wondering why, this is so that if your site or database gets compromised, the hackers won't be able to steal your users passwords (users have a bad habit of using the same password on almost every site). You don't want to look silly by not hashing passwords, and you've no excuse since it's provided free for you with devise.
The only thing you need to be able to do with a password is authorize a user, which can still be done with a hashed password. You never need to tell users their password if they forget it, instead reset their password to something new (devise supports this too).