When trying to reset password with feathers.js, vue and feathers-authentication-management appears that tokens and passwords are not hashed the same. I am looking for an recent application that does all the things that feathers authentication management says it does. So far all examples have fallen short.
It isn't that the examples have fallen short. But me. There is assumption knowledge needed to complete the examples.
Related
I want to create custom made algorithm for web access token vs using JWT.
My algorithm will use XOR with secret key in order to encrypt.
so for example : for {username : user, timestamp : 1212121, md5 of the above} I will xor it with secret key and send it to the user.
The benefit for me is that attackers will have hard time to guess how I built the encryption vs well known JWT. So trying to send me a cookie with admin/another user will be harder for him.
My main question is why to use JWT and not creating your own algorithm which will be harder for attacker to reverse engineer ?
Tnx
It's because no algorithm is fully sound; people make mistakes, a lot, in ways that you probably wouldn't have predicted. Then there is the maintainability aspect that even if you're an A grade expert on these kinds of things, you have to maintain that algorithm. And is that really something you want to be doing over providing business value?
Also, the advantage of using well known standards for authorization, encryption, etc. is that they have proven (as far as possible) that they are secure 'enough' for at least the near future and extensively tested as they are used by billions of sites/apps on a daily basis.
So summarizing: it's just not worth the effort, and the probabilty and cost of a mistake is too high..
Using xor with a secret key means that you will not be able to use asymmetric keys, so any client which needs to decrypt the token will have to know the secret, and thus will be able to encrypt tokens as well.
If your client does not need to decrypt tokens, then you can just use opaque tokens, you don't need JWTs. (Or use the Phantom Token Pattern if your APIs do need JWTs but clients don't).
If your client does encrypt the token, then any attacker can easily read your solution and it's no longer that secure. Also choosing your own solution because it will be harder for anyone to guess it is security by obscurity and does not add real value (e.g. a hacker could do a research about you and your code and maybe will find this post on SO, which will give her valuable information about your solution).
When you choose standards for security solutions at least you know what are the potential issues, and how to properly address them so your project remains secure. If you choose a proprietary solution, then you will not know the security issues that you have.
I am a beginner of CAS. I want to reset Principal attributeMap after loging successfully, and no solution in similar questions. Can anyone help me? Thanks for your advice!
CAS Version:6.1.6
I want to reset Principal attributeMap after logging successfully, and no solution in similar questions.
The reason you can't "find solution in similar questions" is because,
It cannot be done without a great deal of coding.
It's a bad idea. You cannot change the verified subject identify after it has been verified. Once the credentials are verified and the attributes are collected, that collection is final.
Rather than asking what is possible, it would be best if you described why you want to do this, and then folks can help you with alternatives once your use case and objectives are clearer.
after reading all the threads on stackoverflow and other platforms, I still wasn't able to find an answer, which satisfies me.
The task:
I want to create a single page application (SPA) which receives data from a REST API. In this SPA, NO authentication should be used. It's a public site.
But the REST API should only be accessible from people who loaded the SPA from my webserver.
I assume this is only solvable with something on server side like sessions, cookies etc. - otherwise I'm open for your suggestions, solutions etc.
Thx in advance!
There's no reasonably easy way to do this. You can easily prevent other domains (in browsers) from accessing a an API on your domain (via CORS), but it's significantly harder to prevent scripts from doing this.
The issue lies in 'how do you detect legit browser traffic from a script'. It turns out that this is not easy. You could try to detect 'unusual behavior' as much as possible (for example a large amount of requests in a short time), but this doesn't stop clients that are slower.
Ultimately if people want your data, they will find some way around whatever restrictions you come up with. You should reevaluate this and use one of the following options:
Don't do an SPA and API. Although one could wonder, if the data exists in HTML it can still be crawled.
Add authentication. But obviously this won't help you in any way if anyone can authenticate.
Re-evaluate why you have this restriction. What are you worried about? If you're worried about people taking your data and using it elsewhere, how does only showing it in a browser from 1 domain help with that? If you're worried about copyright theft, why not use a legal approach to this?
I've seen a lot of these types of questions, but in my opinion I haven't yet seen one that has a legitimate good reason to want this. But, maybe you're the first.
I believe I answered my question myself on a comment 30 minutes ago... I think with captcha I'm able to secure the REST API against unwanted access to my REST API
I'm going to encrypt & hash (I guess that's the same thing) my emails in my database.
Which hash or encryption is the best & safest and most hard to get information out from?
My site is basically a private streaming site which will get probably very much attacks and such and I guess if not a hacker will get into the database the police will later on. So, what should I use to protect my users to the maximum?
Kindly Regards.
First of all, as Allan S. said, hashing and encryption aren't the same thing.
A hash function is mainly used to verify the integrity of a file because little differences in the file cause very different hashes. Hash function
Encryption, in a few words, is used to protect files or data from being stolen or watched by someone. Cryptography
Back to your question:
Here you could find some advice linked to some hashing function,there's a little explanation.
About encryption algorithms maybe you'll find something useful here and here.
Specifically related to databases I found this.
Keep in mind that a every time valid solution doesn't exist, you need to find the one which fits better to your requirements.
I have a lot of accounts from an older version of a website that I need to migrate to a new version. Passwords are encrypted with bcrypt and I don't know what the salt was, what library, or anything like that. I only have the data from the database. What would be the best way to allow people to still use those accounts? One thought was the first time they try to login, send them an email getting them to update their password. Any other thoughts would be greatly appreciated. Project is running on MEAN stack if that matters.
UPDATE:
Is there a chance that it will just work? I tried an account that I knew the password for, and it seems to just work. Does bcrypt do some magic I am unaware of?
So reading the following question's answer I learned how bcrypt works and since I am using the same algorithm ie. "2a" and the same power ie. "10" it just works since the salt is stored in the data. I also got two of the passwords for the accounts, and tested them. They both worked perfectly.
How can bcrypt have built-in salts?