Recovery authy 2fa tokens - recover

Looks like I forgot my backup password on authy for PC however, I can still access all my 2fa accounts on mobile authy for android. I want to know if it is possible to recover or reset my backup password to make it work on the computer again.
I did try to remove a 2fa account and set it up again from mobile authy but on pc, it still asks me to put the backup password to access it. please guide me what to do.

Authy developer evangelist here.
I'm afraid the backup password is used to encrypt your backups and is never saved anywhere by Authy. The password is needed to decrypt the backups and without it, you can't and there is no way to recover the password (if Authy had a copy of your password, we could access your codes).
To completely start again you will need to find where Authy Desktop saved your backups file and remove it. Then the app won't ask for the password to decrypt it. I don't know where that is though, as I'm on a Mac.

Related

I cannot login AD user when Mac is not on corporate network

I update the company mac to the new OS big sur. It was doing fine before the login but once the update was done, the AD user is not able to login once its not connected to the corporate network or if it is on outside network. It just keeps on asking to reset the password. But if it is connected to the corporate network, it works fine. Already check with the settings, all is check, like create a mobile login and all those stuff.
I had the same issue, to fix it I had to go into our Device Management site (AirWatch, though I've heard the same things from InTune and other management tools), and disable the "Password" profile. Once AirWatch synced again it allowed me to log in without the "Reset Password" prompt.
Other things I learned:
For the first couple of days I had this issue I was able to reset the SMC and it would allow me to log in until I disconnected from the VPN again (at night).
I was able to reset the password on local accounts (I have a local test account that would accept a new password but it had weird restrictions I had never set like not being dictionary words, being over 12 characters, etc. I had to use something like 1qaz#WSX3edc$RFV for it to work.
If I logged in as a local admin account I was still locked out from using my domain joined account to perform admin functions on the computer and make server connections, it didn't give me the change password prompt, just failed like I had the wrong password.
Just putting this here for people who have to defend their choices to the higher-ups:
On a corporate domain the Password profile being set manually for Mac is redundant as long as you have the profiles in your management suite set to not allow local account logins and the password requirements are set in AD. This forces you to login with an AD account and AD will enforce the password requirements.

Recover ansible-vault password in case password is forgotten

I am using ansible-vault to set password protect var/main.yml file.
Now I can push my source code in source control system. After that deploys in production server. Suppose somebody manipulate the password or forgot the password. Is there any way to recover ansible-vault
password or set the new password again without asking the old password?
Thanks in advance
Unless you brute force the password there is no way to recover it.
I suggest you use a password manager to store your password and share the password database within your organization. For example, you could store the password in a password service which has email or SMS reset option to recover the user account, though this might not be very good idea for high security environments.

Cant access remote app after domain password reset

I have a domain user that uses a remote desktop app. I recently reset his password via AD and although he can log in to his account he cant authenticate against the remote app anymore.
Ive checked the Remote app manager and cant see any settings for individual passwords there (dont think there is one?)
Hes setup as a remote desktop user and accesses the app through an .rdp file on his desktop..Any suggestions as to what this may be?
thanks,
I got the user to logout, reset their password and untick the 'change at next logon' requirement and log back in. This resolved their issue.

Require a login and password for writing in the FileZilla server, but not in the reading

I'm working on a android application that writes, in some parts, in a FileZilla server. In my code, I provide the login and password for the FileZilla so that the client could send some pictures and videos to it.
The client later on needs to read the FTP content (Display it), but for that purpose, he needs to enter the login and password, which I can't provide him otherwise he could write whatever he wants in my server.
Is there any way to require a login and password for writing in the FTP server, but not in the reading ??
You can setup two accounts on the server. One with read-only access, and one with write access. Provide the client with password to read-only account. Or you can allow even anonymous read-only access to the server.
EDIT: Also, be aware that it would not be a problem for a hacker to retrieve the hard-coded password from your Android application binary. Make sure you restrict the area, where the account can write to, ideally to a single folder only. You should also set disk quota for the account, so that the hacker cannot fill your server's disk. And you should definitelly monitor the writable folder for an unusual activity.

How Does Firefox's Software Security Device Protect Passwords?

Mozilla claims someone can sit at your computer and get your passwords for each site in 15 seconds. I learned while writing a Firefox extension for the first time that I could access any file in a users directory (given that it was owned by the user). If the passwords are decrypted and written somewhere in the users directory, then they are accessible during a session by a malicious extension or site that uses web code that may access a users directory. What is the process the Software Security Device uses in Firefox that ensures site passwords are really secure from such malicious code?
Decrypting passwords to the hard drive would be insecure because other processes could read them. Does the Software Security Device decrypt them to the users directory?
If not, then does the Software Security Device decrypt them only in ram? If so, then what are the possibilities of another application reading the application space of the Software Security Device?
Please describe.
Describing the process shouldn't be a secret, because secrets are an indication of vulnerability and weakness, instead a true secure method requires brute force to break. An open policy about the encryption process gives a wider audience, which increases the potential for more secure solutions.
I bring this up, because it's not described in the Software Security Device explanation or Master Password explanation on the Mozilla site, leaving me wondering if we are really secure using that feature.
The passwords are stored in the SQLite database signons.sqlite in user's profile directory. By default they are not really encrypted - extracting them from this file and "decrypting" is trivial. To have some security here the user has to define a master password (on the Security tab of the Firefox options), this one will be used to encrypt the passwords in the database. If that has been done then extracting passwords from signons.sqlite is non-trivial, one has to guess the master password.
But Firefox needs to decrypt the passwords to use them of course. If some browser code requests a password (via nsILoginManager) a master password prompt appears - the user needs to enter the master password to allow decrypting his passwords. The decrypted passwords are never written to disk but the browser (and any browser extensions) will be able to access them after that.
Firefox doesn't do anything to prevent extensions from accessing passwords because it would be pointless. The only way to prevent a malicious extension from getting to your passwords is to avoid installing a malicious extension in the first place. Even if nsILoginManager were not there, a malicious extension could still sniff on your communication with the web page when the password is transmitted. Or it could listen to what you type when asked for the master password. Or it could fake a master password dialog and get the master password directly. There are tons of possibilities - an application cannot possibly beat another application that is running with the same privileges.
PS: Software Security Device is for certificates, not passwords - entirely unrelated. But it uses the same master password, hence the confusing dialog.

Resources