Through my developer career i've been on different kind of projects where a user needs to login with username and password. As I'm completing the project i've encounter the need to test some user account. The solution that i've found yet is to save the password and username on a text file and to use to login. I would like to know if someone has a better idea to ease this process.
I've tried to use some extension such as last pass but as i'm using "localhost:4200" it tries to auto fill password and username from other projects.
Related
I'm building a page for a Flutter web application using Firebase Auth where the user can change his password. For security reasons, I want the user having to enter his recent password before being able to set a new password.
To achieve this, I tried to use the reauthenticateWithCredential()-method from Firebase.
Problem is, this only seems to work if the user hasn't signed in recently. If, on the other hand, he has just signed in, he can change his password without giving the right credentials (or even without giving any credentials at all).
So is there a possibility to prevent the user from changing his password without providing his correct recent password, no matter if he just signed in half a minute ago? Did I overlook something?
As far as I know it isn't possible to get the password from Firebase, so the only two solutions I can think of atm are
To sign out and re-sign-in the user, given he has entered the correct credentials, and then change the password, or
pass his password from the login to a variable on the change-password-screen, just in case it should be needed...
However, both methods don't seem to be appropriate for practical and/or security reasons.
I have application where administrators have to create accounts for the new users. Basically there is no option for random user to create account and access this app. The admin would have to enter some basic info like First, Last name, Email address, User name and then comes to the password. I have algorithm that generates unique passwords. I'm looking for the better option to handle this situation.
The old application worked this way: admin enters info, generates password and there is an option either to automatically notify users via email or admin will contact directly that user and provide login info. This method seems very inefficient and insecure at the same time. Sending info like user name and password in the email is definitely not recommended nowadays. I was wondering what would be a good approach?
Should I generate unique link with expiration date where user can enter the password? Or there is better way to handle this situation? I use JavaScript, JQuery and ColdFusion 2016 for this project.
Many websites now support 2FA and many of them ask users to use an App for the OTP. From the tool I use, like 1password, it seems the OTP is updating all the time regardless to I have logged in the website or not. My question is, since the OTP is always there, why it is split into a standalone step to enter the code instead of asking users to enter it along with the username and password?
I think i get the whole password hashing and verifying login as I got it working with php. however I need an answer and some advise and I dont mean dont eat yellow snow!! :)
I want to store the passwords of users in a hashed format, however I have a need where by I need to be able to see or use given password so I can help the customer fix there issues as a technician.
Now passwords are first created by my system then issued to customer, however users have the choice to change their passwords if they so wish.
username is also created by system.
Now that being said:
I had 2 thoughts both of which I have no idea how to do so some pointer or an answer would be great.
idea 1:
is to have a button on my site to show only the technicians the user password on demand. so they can copy and paste to the site.
Idea 2:
I was also thinking that rather than see the password. I could have some way to transfer the password into the site to create an auto login into the website.
So technician would have a button that they press and the password is sent to the site to auto login with the hashed password.
Thanks in advance.
To give technicians access to a user account, there is no need to know the users plaintext passwords. It is the job of your application to restrict access, so you can create an admin role which is able to impersonate a user.
Making passwords recoverable weakens the security of your site immensly.
I have been looking for the past few hours on how to user the phpBB login script on a custom site. I think I'm just not searching for the right things.
A while ago, I created a phpBB site and have over 900 members registered through phpBB. I am currently face-lifting this site and redoing the user registration along with all of the other custom code I have.
My problem is, I want the users to be able to log in as usual, though I want to input them into my new database so everything can run smoothly. I mainly need their username, password and old ID#, but I don't know how to use phpBB's password authentication or where to find it
The statement needs to look something like this:
On Login, grab username and password variables:
if the username is not in MY database, check phpBB database.
If the username is in phpBB database, check to see if the password is correct **(This is the part I don't know how to do)**
If the password is correct, input the username, user ID and the password (encrypted my way) into MY database
Login
If the password is incorrect - error
if the username is NOT in phpBB database - continue
if the username is not in MY database - input username and encrypted pass into my DB
login
Where can I find a script to authenticate the phpBB user's passwords? I don't care how the script is done, I know that's a secret, I just need to be able to authenticate passwords so that I can make sure it's the same user
I do have access to the phpBB database, I just need a way to authenticate their password
I would rather delete the quesion, but here's the answer:
Check here: http://sunnyis.me/blog/secure-passwords/
and when you download the PasswordHash.php, change all of the $P$ to $H$. It will work. Strange how it creates a password, every time it creates, it's different. But the CHECK part of it makes sure it checks it correctly, no matter what hashed pass it creates.