Lmst

Phần 6 loạt bài về Hệ thống Quản lý Người dùng bằng JavaFX & MySQL tập trung vào băm mật khẩu an toàn với BCrypt (thay thế lưu trữ dạng văn bản thường). Hướng dẫn thiết thực cho sinh viên, đồ án tốt nghiệp và người học ứng dụng desktop Java. #JavaFX #BCrypt #PasswordSecurity #JavaProgramming #HệThốngQuảnLýNgườiDùng #MậtKhẩuAnToàn

https://www.reddit.com/r/programming/comments/1q0x8vp/javafx_user_management_system_bcrypt_password/

JavaFX & MySQL: Hệ thống Quản lý Người dùng - Mã hóa Mật khẩu BCrypt (Phần 6) 🖥️
Hệ thống Quản lý Người dùng hoàn chỉnh trong JavaFX & MySQL. Hướng dẫn mã hóa mật khẩu an toàn bằng BCrypt thay vì lưu trữ văn bản thông thường.
Tuyệt vời cho sinh viên, dự án cuối kỳ hoặc ai học lập trình JavaFX. Phần 6: https://youtu.be/LDD1Kan7tOI
#JavaFX #MySQL #BCrypt #QuanLyNguoiDung #LapTrinhJava
Phản hồi và góp ý được hoan nghênh! Cảm ơn!

https://www.reddit.com/r/programming/comments/1q0x8vp/javafx_user_ma

🌘 bcrypt 可能不安全的密碼雜湊原因？
➤ bcrypt 的 72 位元組密碼限制：一個被忽略的安全漏洞
✤ https://blog.enamya.me/posts/bcrypt-limitation
bcrypt 演算法因基於 Blowfish 密碼，僅處理前 72 位元組的密碼，導致長於此長度的密碼會被截斷，進而引發潛在安全風險。本文透過 Python 範例展示此問題，並提出使用 Argon2 或先以 SHA-256/SHA-512 雜湊再進行 bcrypt 處理等替代方案，同時提及 Python 3.0.0 版本已開始針對長密碼拋出錯誤。
+ 這篇文章非常有啟發性！我一直以為 bcrypt 是最安全的選擇，沒想到還有這樣的限制，幸好及早發現。謝謝作者的分享。
+ 感謝提供替代方案，Argon2 聽起來是個不錯的選擇。不過，對於已經使用 bcrypt 的系統，有沒有什麼比較好的遷移建議？
#密碼學 #bcrypt #安全性 #密碼雜湊

Since Wordpress v6.8, the default hash func produces a custom bcrypt hash: $wp$2y$10$...

More info on this custom algo, how it uses hmac-sha384, and how to crack them with hashcat.

https://forum.hashpwn.net/post/4205

#wordpress #bcrypt #wpbcrypt #hashcracking #hashpwn #hashgen #hashcat

Hoy aprendí sobre el algoritmo de hash #bcrypt, basado en el cifrador de bloques #Blowfish, revisando un artículo de @andrea_navarro sobre extensiones de #Flask... particularmente sobre las extensiones de seguridad.

Y acabo de descubrir que es uno de los algoritmos soportados para la creación de passwords en GNU/Linux :D

Habrá que hacer algunos experimentos.

#gnu #linux #cryptography #criptografía #ciberseguridad #infosec #encrypt #hash #python #flask

"man 5 crypt" donde se muestra la sección de bcrypt

#4 👥 Leverage built-in authentication with #Breeze, #Fortify or #Jetstream
🗝️ Store passwords securely using #Bcrypt or #Argon2 hashing algorithms
🔑 Secure environment variables and force #HTTPS in production environments

@thinkberg this page is gold. Pitty that the #bcrypt one doesn't have a reference

Post-Quantum Cryptography Comes to Windows Insiders and Linux.

https://techcommunity.microsoft.com/blog/microsoft-security-blog/post-quantum-cryptography-comes-to-windows-insiders-and-linux/4413803

#win32 #windows #ncrypt #bcrypt #cryptography #encryption #linux

@jadi This "#OpenBSD is secure!" claim always annoyed me a lot, mainly because it doesn't tell anything: #Security in IT can only ever be defined in a context of #threat models. Without that, it's meaningless. Somewhat recently, I discovered this:

https://isopenbsdsecu.re/

I should warn it uses some sarcasm and other confrontative language in some parts, unfortunately. But it seems to be a pretty professional analysis and assessment of (mostly) the "mitigations" OpenBSD provides in an attempt to counter "typical" attacks by at least making them harder.

I should also add that I consider this a very interesting and helpful read, and still consider OpenBSD a great project that came up with lots of great stuff (I recently used their #bcrypt code after doing some research on password hashing, for example). And I don't agree with every single criticism on that page either. I just think it's important to build assessments whether something "is secure" on a serious analytical foundation.

This is... interesting. Apparently bcrypt truncates user provided passwords at 72 byte marker. I guess one way can be to "prehash" the password with a HMAC as suggested here:

https://soatok.blog/2024/11/27/beyond-bcrypt/

The other (simpler) approach would be to, like Go's x/crypto/bcrypt, just reject all user provided passwords > 72 bytes. It is not *great*, but it works and fails "safe". Now one wonders *why* this is not the default behavior of PHP's password_hash function...

#password #bcrypt #php

That feeling when you forgot your password but it's been a local install anyway so you just sqlite3 into the database and generate a new bcrypt with Ruby.

#bcrypt #Ruby #Sqlite

So, there we are: #swad has its second credentials checker module, using #password #files, partially #apache #htpasswd compatible (only #bcrypt, using #OpenBSD's code). 🥳

https://github.com/Zirias/swad/commit/385bc5286c607c7220067844c37bc5eb6cb6c18c

#C #coding

@lcheylus That's where I pulled from. Still took quite a while.

So, now, this looks kind of messy, but I *think* I can build #OpenBSD's unmodified #bcrypt code on several (many?) systems wrapping it like this 🙈

https://github.com/Zirias/swad/blob/master/src/lib/swadbcrypt/bcrypt.c

I need some advise: Is there a good portable and free (really free, not GPL!) #implementation of #bcrypt in #C around?

There's #OpenBSD source I could use, but integrating that would probably be quite a hassle...

Background: I want to start creating a second credential checker for #swad using files. And it probably makes sense to support a sane subset of #Apache's #htpasswd format here. Looking at the docs:
https://httpd.apache.org/docs/current/misc/password_encryptions.html
... the "sane subset" seems to be just bcrypt. *MAYBE* also this apache-specific flavor of "iterated" MD5, although that sounds a bit fishy ...