I am looking for a specific app that has a really specific feature.
Please tell me if this feature already exists on dashlane or 1password.
Context :
I have a software that prevents me from accessing web sites where i waste my time.
Problem :
When I feel tempted to waste my time, I access the software and I unlock the websites
Direct consequence :
I waste my time again.
What I am not allowed to do solve the problem :
Count on my discipline. If you suggest me to count on my discipline to solve the problem, you will be out of scope.
Opportunity :
If the app existed, my problem would be solved :
Description of the app :
It's an app that sends an email with specific content x hours after a request is sent
To understand better what I mean, here is a use case :
Use case :
I create a really long password to access the software that blocks websites.
I send an email where the following informations are present :
1°) the password : let's call it : "password"
2°) The time to wait after a request is made : let's say 24 hours
3°) The trigger necessary to send the specific password : let's say : website
When the mail is sent, I delete the email so that the password is no longer accessible from me easily.
I receive a notification from this app that tells me :
Ok, we received your request for "website".
2 months after, I want to add a website that I want to block, or I want to access a website again.
I then send the following email to the correct email address with the following content :
"website"
(If I wanted to cancel my request 24 hours, I would just send :"website stop")
I wait 24 hours and I receive the password.
I do the desired modification.
I delete permanently the email where the password is present.
I am now able to avoid being tempted wasting my time.
It's kind of a "temptation buffer".
Do you know any web app or email server that does that ?
It's not necessary to use email to solve the problem, i can also login to a web app.
Thanks a lot !
This isn't a direct answer, but if you'd consider a different approach ... perhaps a browser add-on that limits site access to X minutes per day, such as StayFocusd?
Related
Suppose I have an account created on a website (in specific, a PS Network account or Google account), and I only know the login email, but not the password (with no access to the Google account in the PSN case).
Is there a way for me to verify if a given password is the correct one using only HTTP requests or something similar using code? This is to save me the time of trying multiple passwords and having to wait for a server response until I find the right one.
Details:
I'm not trying to hack into someone's account.
I tried to log in to a secondary PSN account I created years ago but I didn't know the password, only the email (I also created a specific google account/email for this purpose, so I don't remember its password either). Even though I don't remember the exact password, I know which combinations of specific words and numbers I might have used back then. But I want to run through "all" the possible combinations with code, instead of doing it manually, to save time and effort. Is there any URL to which I can make POST requests to try and log in using only email and password in the request body, and verify if login was successful? (either on PSN or Google, either one will give me my PSN account back)
Thanks in advance
I tried looking for REST API and URLs that allow me to do this, but it seems to me that Google in specific has gone strict on this, requiring more than just address and password. For the PSN account, I tried to sniff around using developer tools to watch which URLs are requested when I try to login using the Sony website interface, but I can't understand which requests are doing what.
What you want to do is a popular method for hacking account access. it is called bruit force where by the hacker you continues to try passwords over and over again until they gain access. A dictionary file is often used containing combinations of specific words and numbers
No system is going to have an endpoint that will make it easier for hackers to gain access to user accounts by force.
May I suggest using a reset password account recovery option available through most login services these days.
instead of trying to bruit force your way in. Most authorization servers will lock an account after 5 bad attempts.
the last couple of days I implemented the autodiscovery/auth flow for UCWA against Skype for Business Online and AzureAD. When I'm done and having the URL to the application directory (+ the OAuth2 Credentials) I save those into our internal system. So later on I want to create online meetings with this data. The URL to the applications directory looks like this: https:\/\/webpoolam42e10.infra.lync.com\/ucwa\/oauth\/v1\/applications\/101331226048\/onlineMeetings\/myOnlineMeetings
If I do this within the first minutes of retrieving the data it works just fine. But later on it seems, that the application directory is gone. I'm getting this response:
body":"{\"code\":\"NotFound\",\"
subcode\":\"ApplicationNotFound\",\"message\":\"An error occurred. Please retry. If the problem persists, contact your support team.\"}
Status Code is 404.
Later on I even tend to get 401 errors that mean unauthorized.
I suspect the application server going away and only being temporarily available. I got a refresh token and a valid access token, so this wont be a problem. I've got no clue what is going on there and wasnt able to find help in the docs. So maybe one of you got any advice - I'd be really thankful!
Side-Info:
I'm doing all this in PHP and I only have user-interaction at the initial authentication. I save the refresh token and all other things I need, so that my server-side application can use the authorization in long term.
Reporting here part of my reply to another question:
Keeping a UCWA App always online:
If you need to achieve that, you need to understand and implement correctly the concepts explained here me Dashboard, especially at Reporting activity section:
call reportMyActivity every 4 minutes max.
maintain an active P-GET with the Events Channel
handle possible timeouts on the Events Channel
handle possible DELETE events (on the Events Channel) the server can send for the application, for which you'll have to regenerate your app Application dashboard
reporting app's activity, and keeping a valid open P-GET with Events Channel are both very important!
We have a site that uses a "one-time" login process for password resets which are not initiated by the user themselves. (for instance, a password reset that is initiated by an admin or another employee) A URL is sent to the user via email which can then be used to reset their password. The URL can only be visited one time. (there's more to this for security-sake but I'll keep it simple) Recently, some users have complained that when they visit the link, it has already expired. The end result is that they can't reset their passwords using this feature. We discovered that the users in question have a spam filter or "link checker" in their environment that they do not have access to. This device visits the one-time link before the user is able to, to make sure its safe.
I'm trying to solve this issue and was wondering if there's a way I can detect these type of devices on the web server when the request is made? When the spam filter visits the link, is there something in the http request that would stand apart from a regular browser? Maybe they all use a specific custom HTTP header? Or maybe there's a regex I could use on the user agent? I haven't been able to catch one of these yet, so I'm not sure what the request looks like coming from a spam filter.
Anyone know of a way to detect spam filters of any vendor by looking at the http requests? I know it's a long shot but maybe they all use a specific header for reasons such as this?
I got approval to modify the design to remove the one-time aspect of the URL. This solves the issue and saves me the headache. Thanks for the suggestion, #PeeHaa
So, I have my web app connected with Foursquare API up and running. It has it's own secret keys and everything. It listens to the incoming push notifications and trying to react on connected users's checkins. So far so good, however, when I'm trying to post something back on user's checkin via one of these:
checkins/reply
checkins/addpost
checkins/addcomment
I got 403 Forbidden error. I know, that I'm messed up something with OAuth tokens but I'm really stuck here and feel a bit puzzled. I try to summarize what's the current status and what I've tried so far:
I Have the App's: clientId, clientSecret, pushSecret
I also connected the Foursquare Account on which the app is creared into my web App, so I get the accessToken, let's name it: appAccessToken
Users are getting registered to my web app, so I get userAccessToken for one of each.
And here we go:
Trying to reply for a user's checkin fails when I'm using appAccessToken. From what I understand, it's like replying on behalf on my App's account, and since that account isn't on the user's "friend list", I get 403.
On the other hand, I'm able to post reply when I use userAccessToken but then, It looks like the user is commenting itself on their own checkins which dosn't have much sense.
I was even so desperate that tried to use clientSecret but no avail...
Can anyone point me out what am I doing wrong here? From what I understand from the Documentation it is, in fact, possible to reply as an App... The only question is, how? :-)
There's ostensibly no difference between the two "types" of access token you describe: appAccessToken and userAccessToken are really two instances of the same thing (a user's access token), one just happens to be associated with the user account that created the app.
For each check-in you are pushed, you should use that user's access token when making a call to checkins/reply. This will reply to the check-in in the style of our Apps Platform. I think in your second comment, you're using the user's access token to add a post to the check-in, which will make it look like the user is commenting on their own check-in.
I have to build an App that need authentication over a DB (online).
When application load, at first appear a login screen to insert user credentials.
Thus after a correct login, user can access every areas of this app.
I think to use this steps, what do you think about?
1) Build a PHP (or other lang) Webservice that accept username/password(crypt) and check this data. When user is found, create a token with some strange unique string and adding a expiration time information. Send token back as response with some sort of json structure.
2) The IOS APP call this service passing username/password, if the webservice response is positive, store the received token in NSUserdefault and add time of creation (so i can calculate when it expire.
3) From my APP i can make request toward webservice sending my token. WS checks Token validity and send back a response.
Is this a good practice ???
Yes and no.
I think your approach will work as you wrote it. But keep in mind, that your users needs an internet connection to use your app. So I would design the structure in a way it has also a use for the user, if he has no internet connection.
I also don't know how good your expirience is with Webservices and the communication with them. If you send the data, you should also encrypt the sent data, because they are the credentials of the user. So it's not save to send them as GET Values for examples in a PHP script...
I hope my answer did help a little bit. If you have specific questions on this type of webservice, just ask. I did this a few times before. ;-)
Sandro Meier