I am using ansible-vault to set password protect var/main.yml file.
Now I can push my source code in source control system. After that deploys in production server. Suppose somebody manipulate the password or forgot the password. Is there any way to recover ansible-vault
password or set the new password again without asking the old password?
Thanks in advance
Unless you brute force the password there is no way to recover it.
I suggest you use a password manager to store your password and share the password database within your organization. For example, you could store the password in a password service which has email or SMS reset option to recover the user account, though this might not be very good idea for high security environments.
Related
I have a password manager that I'm implementing in Ruby. Encrypting the passwords is pretty easy thanks to OpenSSL, but I also need to ask the user for a master password, which is a password to view, change, and add passwords. Once the user enters their master password in, I intend for it to be encrypted and stored in the passwords file somehow. But OpenSSL encrypting and decrypting requires a password. For normal passwords, the key is the master password, so what should I make the encryption key for the master password?
Looks like I forgot my backup password on authy for PC however, I can still access all my 2fa accounts on mobile authy for android. I want to know if it is possible to recover or reset my backup password to make it work on the computer again.
I did try to remove a 2fa account and set it up again from mobile authy but on pc, it still asks me to put the backup password to access it. please guide me what to do.
Authy developer evangelist here.
I'm afraid the backup password is used to encrypt your backups and is never saved anywhere by Authy. The password is needed to decrypt the backups and without it, you can't and there is no way to recover the password (if Authy had a copy of your password, we could access your codes).
To completely start again you will need to find where Authy Desktop saved your backups file and remove it. Then the app won't ask for the password to decrypt it. I don't know where that is though, as I'm on a Mac.
I am new to Maven and trying to understand the password encrytion.
I have installed maven and created .m2 folder and inside settings.xml and settings-security.xml.In the settings I have proxies where I give the server password. And in the settings-security I give the master password.
My question: what is this master password and server password for? I understand from the document that the password are encryted and saved as master password. My doubt is how does this master password and server password works in a simple flow.
Can these passwords be a random one or should it be a login password to the server.
Thank you.
I'm trying to figure out how to Windows credential roaming is implemented. I have found that it will roam certs that have been strongly protected with a password (optional entropy to CryptProtectData()).
I can't see how this could be done unless Windows keeps a copy of the password somewhere when the cert is imported. Copying the files in %APPDATA%/Crypto/RSA{UserSID} to another machine would not work as the keys are encrypted with the users DPAPI master key and optionally a password.
Other than using ProcMon and I have no idea what else to try or look at in order to figure this out. Any pointers to help figure this out would be much appreciated!
CryptProtectData does a little something more that makes the whole thing possible.
DPAPI will generate a key for encryption. The DPAPI key will then be encrypted with another key derived from your password.
What is sent in credential roaming is the DPAPI key, not your password.
It is the same thing that also allows DPAPI to keep working (locally) when you change your password. Otherwise, Windows would have to track DPAPI encrypted blobs stored everywhere (files, registry keys, etc.) to encrypt to the new password derived key. There is an infinite number of applications, making it impossible.
Instead, the key is in one well known and well hidden location, never seen by the user. Windows can easily rencrypt the DPAPI with the new password, shielding applications using it from password changes.
The same mechanism is also used by credential roaming to stay indenpendent of the user's password.
This website has code to extract the SYSTEM's account DPAPI key, and some information about the structure, it might help you debugging.
I want to encrypt passwords using the DPAPI like this
ProtectedData.Protect(plain, optionalEntropy, DataProtectionScope.CurrentUser);
and wonder if the domain administrator could decrypt the generated blob, as
Using Passwords Effectively states:
However, in a domain environment a
domain administrator can safely change
your password, and you'll still have
access to your encrypted files.
It seems like the domain administrator would have to decrypt the data (or rather, the encrypted master keys) first, in order to be able to re-encrypt it using a different password.
The answer is yes, provided he also has acces to the entropy key(if one is created), or if he is willing and capable enough to hack into the blobs (see links below).
For the Master key in DPAPI (in CurrentUser mode), the windows login username and password are used to generate the master key.
If the administrator updates the user's domain password, DPAPI wil reencode the master key for that user. The same goes if the user updates his password due to eg. a monthly password change policy.
However, if he doesn't have access to the optional entropy key or the data that composes that key, the file will remain encrypted and all he will get is invalid data.
If DPAPI is used in CurrentMachine mode, the file can only be decrypted on the computer that encrypted it, however the file will be readable to all accounts on that computer, again provided they can also muster the content of the entropy key.
A good repository for information is DPAPI Secrets and this paper on reverse-enginerring DPAPI + link to a tool that can recover data from DPAPI blobs
Short answer : he probably can't right out of the box, but Domain Admin is powerfull. There are many ways they can get to your key if they really want it.
Long answer : DPAPI encrypts your data with a key. IIRC, it uses AES with a key that changes every 90 days. The key is stored on your computer, encrypted with your password. That's the default and it saves your key out of reach of anyone but you.
Unless your domain admin remotely installs a key logger, steals your password, impersonnate you and steal your key (or go straight to the data which he now sees in plain text).
Another somewhat less known fact is that when Credential Roaming is enabled on Active Directory, it will send your encrypted keys to a server. A domain admin could use that copy for an offline attack. But it is hard and unless your data is very valuable, I woulnd't worry about it.
The answer is yes. PoC utility with description: Vulnerability of DPAPI data protection in Win2K, Win2K3, Windows Server 2008, and Windows Server 2012
Works in Win Server 2016/2019 as well.