How about taking another approach or angle at this problem? Ask why the password is required to be in plaintext: if it’s so that the user can retrieve the password, then strictly speaking you don’t really need to retrieve the password they set (they don’t remember what it is anyway), you need to be able … Read more
Passing a value to standard input in Bash is as simple as: your-command <<< “$your_variable” Always make sure you put quotes around variable expressions! Be cautious, that this will probably work only in bash and will not work in sh.
Hashing a password once is insecure No, multiple hashes are not less secure; they are an essential part of secure password use. Iterating the hash increases the time it takes for an attacker to try each password in their list of candidates. You can easily increase the time it takes to attack a password from … Read more
The link to discussion, provided by Catchdave, has another valid point (original, dead link) made by Dick Hardt, which I believe is worth to be mentioned here in addition to what’s been written above: My recollection of refresh tokens was for security and revocation. <…> revocation: if the access token is self contained, authorization can … Read more
I work at Auth0 and I was involved in the design of the refresh token feature. It all depends on the type of application and here is our recommended approach. Web applications A good pattern is to refresh the token before it expires. Set the token expiration to one week and refresh the token every … Read more
Since questions about salting hashes come along on a quite regular basis and there seems to be quite some confusion about the subject, I extended this answer. What is a salt? A salt is a random set of bytes of a fixed length that is added to the input of a hash algorithm. Why is … Read more
JWTs can be either signed, encrypted or both. If a token is signed, but not encrypted, everyone can read its contents, but when you don’t know the private key, you can’t change it. Otherwise, the receiver will notice that the signature won’t match anymore. Answer to your comment: I’m not sure if I understand your … Read more
It will/may be empty when the enduser entered the site URL in browser address bar itself. visited the site by a browser-maintained bookmark. visited the site as first page in the window/tab. clicked a link in an external application. switched from a https URL to a http URL. switched from a https URL to a … Read more
The current cookie specification is RFC 6265, which replaces RFC 2109 and RFC 2965 (both RFCs are now marked as “Historic”) and formalizes the syntax for real-world usages of cookies. It clearly states: Introduction … For historical reasons, cookies contain a number of security and privacy infelicities. For example, a server can indicate that a … Read more
Hashing is a one way function (well, a mapping). It’s irreversible, you apply the secure hash algorithm and you cannot get the original string back. The most you can do is to generate what’s called “a collision”, that is, finding a different string that provides the same hash. Cryptographically secure hash algorithms are designed to … Read more