VirtualTam's bookmarks

1. The Copenhagen Book - General guidelines on implementing authentication and authorization in web applications 2024-04-05

   tags: cryptography/hash, memory/cache, network/http, network/http/cookie, programming/go, security/authentication, security/authorization, security/oauth, security/password

   [ permalink ]

   • pilcrowOnPaper/copenhagen
2. Have I Been Pwned - Pwned Passwords 2024-02-28

   tags: programming/go, programming/python, programming/ruby, programming/rust, security/credentials, security/password

   [ permalink ]

   • HaveIBeenPwned/PwnedPasswordsDownloader
   • API Clients:
     • mattevans/pwned-passwords - Go API Client
     • lionheart/pwnedpasswords - Python API Client
     • philnash/pwned - Ruby API Client
     • wisespace-io/pwned-rs - Rust API Client
3. passkeys - Hello passkeys! Goodbye passwords. 2023-06-11

   tags: cryptography/public-key-infrastructure, internet/browser/chrome, internet/browser/firefox, mobile/android, mobile/ios, security/authentication

   [ permalink ]

   Passkeys are a replacement for passwords that provide faster, easier, and more secure sign-ins to websites and apps across a user’s devices. Unlike passwords, passkeys are always strong and phishing-resistant.

   • https://fidoalliance.org/passkeys/
   • Apple Developer - Passkeys Overview
   • Apple Support - About the security of passkeys
   • Google Identity - Passwordless login with passkeys
   • Google Blog - The beginning of the end of the password
   • Google Security Blog - So long passwords, thanks for all the phish
   • Chromium BLog - Introducing passkeys in Chrome
   • Tailscale doesn't want your password
   • Tailscale - Custom OIDC Providers
   • YubiKeys, passkeys and the future of modern authentication
   • A Yubico FAQ about passkeys
   • Why Passkeys Will Be Simpler and More Secure Than Passwords
   • Passkeys: A shattered dream
4. WebAuthn - An API for accessing Public Key Credentials 2023-06-11

   tags: cryptography/public-key-infrastructure, internet/browser, security/authentication

   [ permalink ]

   The Web Authentication API (also known as WebAuthn) is a specification written by the W3C and FIDO, with the participation of Google, Mozilla, Microsoft, Yubico, and others. The API allows servers to register and authenticate users using public key cryptography instead of a password.

   • Guide to Web Authentication
   • Asynchronous Remote Key Generation: An Analysis of Yubico’s Proposal for W3C WebAuthn [PDF]
   • Issue 664630: Web Authentication API for Chrome
   • Bugzilla - [meta] Update WebAuthn JS API to the L1-REC spec
   • keepassxc#1870 - Feature Request: Integration with the Web Authentication API
5. Cloudflare Research | OPAQUE: An Asymmetric PAKE Protocol Secure Against Pre-Computation Attacks 2022-07-12

   tags: cryptography/encryption, security/authentication, security/password

   [ permalink ]

   • https://blog.cloudflare.com/opaque-oblivious-passwords/
   • OPAQUE: An Asymmetric PAKE Protocol Secure Against Pre-Computation Attacks
   • https://datatracker.ietf.org/doc/html/draft-irtf-cfrg-opaque
   • https://blog.cryptographyengineering.com/2018/10/19/lets-talk-about-pake/
6. How can I run ssh-add automatically, without a password prompt? 2022-06-28

   tags: command-line, network/ssh, security/authentication

   [ permalink ]

   • https://www.openssh.com/txt/release-7.2
   • https://unix.stackexchange.com/questions/269121/openssh-have-ssh-add-keys-to-agent-as-needed

   Host blah
   AddKeysToAgent yes
   ForwardAgent   yes
   

7. Home Assistant, Pwned Passwords and Security Misconceptions 2021-03-12

   tags: internet-of-things, network/http, security, security/password

   [ permalink ]
8. Storing hashes: bcrypt, pbkdf2, sha256-crypt, sha512-crypt 2021-01-03

   tags: cryptography, cryptography/hash, cryptography/hash/bcrypt, cryptography/hash/pbkdf2, cryptography/hash/sha, security/password

   [ permalink ]

   • https://security.stackexchange.com/questions/4781/do-any-security-experts-recommend-bcrypt-for-password-storage
   • https://security.stackexchange.com/questions/17421/how-to-store-salt
   • https://codahale.com/how-to-safely-store-a-password/
   • https://security.stackexchange.com/questions/133239/what-is-the-specific-reason-to-prefer-bcrypt-or-pbkdf2-over-sha256-crypt-in-pass
   • https://security.stackexchange.com/questions/211/how-to-securely-hash-passwords/31846
9. hashcat - advanced password recovery 2019-11-04

   tags: cryptography/encryption, cryptography/hash, security, security/password

   [ permalink ]

   • https://hashcat.net/wiki/
   • https://github.com/hashcat/hashcat
10. helm-secrets: a helm plugin that helps managing secrets with Git workflow 2019-06-18

    tags: cryptography/pgp, linux/container/kubernetes, linux/container/kubernetes/helm, programming/yaml, secret, security, security/password

    [ permalink ]

    • https://github.com/helm/helm/issues/2196
    • https://github.com/mozilla/sops
    • https://medium.com/faun/helm-charts-for-more-complex-projects-and-how-to-secure-them-a1dfde804226
    • https://developer.epages.com/blog/tech-stories/kubernetes-deployments-with-helm-secrets/
    • https://lab.getbase.com/helm-secrets-a-missing-piece-in-kubernetes/
11. FusionAuth - Identity management - Authentication, authorization, user management, reporting, analytics 2019-03-13

    tags: programming/api, security/authentication, security/authorization, security/password, security/token, web

    [ permalink ]
12. Dynamic secrets on Kubernetes pods using Vault – Guy Maliar – Medium 2019-02-01

    tags: consul, linux/container/kubernetes, security, security/password, vault

    [ permalink ]
13. mysql - What column type/length should I use for storing a Bcrypt hashed password in a Database? - Stack Overflow 2018-10-21

    tags: cryptography/hash, database, database/mariadb, database/mysql, programming/sql, security/password

    [ permalink ]

    • https://stackoverflow.com/questions/51008351/bcrypt-hashedsecret-too-short-to-be-a-bcrypted-password
    • https://stackoverflow.com/questions/247304/what-data-type-to-use-for-hashed-password-field-and-what-length
14. Manage sensitive data with Docker secrets | Docker Documentation 2018-09-27

    tags: linux/container/docker, secret, security, security/authentication, security/password, security/token

    [ permalink ]

    • https://github.com/moby/moby/issues/13490
15. RabbitMQ - Password Hashing 2018-08-28

    tags: cryptography/hash, message-broker/rabbitmq, programming/python, security, security/authentication, security/password

    [ permalink ]

    • https://www.rabbitmq.com/passwords.html
    • https://stackoverflow.com/questions/41306350/how-to-generate-password-hash-for-rabbitmq-management-http-api
    • https://gist.github.com/christianclinton/faa1aef119a0919aeb2e
    • https://stackoverflow.com/questions/9594125/salt-and-hash-a-password-in-python
    • https://docs.python.org/3/library/hashlib.html
    • https://docs.python.org/3/library/base64.html
16. mimikatz: A little tool to play with Windows security 2018-06-25

    tags: hack, microsoft/windows, programming/c, programming/python, security, security/password

    [ permalink ]

    • https://github.com/skelsec/pypykatz
    • http://blog.gentilkiwi.com/securite/mimikatz/overpass-the-hash
17. KeePass / KeePassX / KeePassXC 2018-05-27

    tags: apple/macos, linux, microsoft/windows, mobile/android, security, security/password, web

    [ permalink ]

    • https://keepass.info/
    • https://www.keepassx.org/
    • https://keepassxc.org/
    • https://superuser.com/questions/878902/whats-the-difference-between-keepass-and-keepassx
    • https://sourceforge.net/p/keepass/discussion/329220/thread/f9f016d5/
    • https://keepassxc.org/docs/#faq-keepassx
18. Wladimir Palant's notes: Master password in Firefox or Thunderbird? Do not bother! 2018-05-07

    tags: internet/browser/firefox, mozilla, security, security/password, thunderbird

    [ permalink ]

    • https://cynosureprime.blogspot.fr/2017/08/320-million-hashes-exposed.html
    • https://blog.codinghorror.com/hacker-hack-thyself/
    • https://www.microsoft.com/en-us/research/publication/a-large-scale-study-of-web-password-habits/
19. entropy - How secure are "pattern" passwords? - Information Security Stack Exchange 2018-01-28

    tags: entropy, privacy, security, security/password

    [ permalink ]

    • https://github.com/davean/typing-effort
20. Free Open Source Password Manager | bitwarden 2017-10-02

    tags: security/password, web

    [ permalink ]