Firefox 3.5+ sqlite database for saved passwords - firefox

My goal is to actually import thousands of hostname/login/passwords into the sqlite database "signons.sqlite" . The table I believe I need is "moz_logins" .
For me this file is located at ~/.mozilla/RANDOM_STRING.default/signons.sqlite
I'm trying to figure out two things:
1) What is the encryption method used for encryptedUsername and encryptedPassword ?
2) What is the guid column/how are it's values created?
If the answer is somewhere along the lines of "You need to read the source code," that's fine, this task may be bigger than I imagined.
Any help would be appreciated.

Have you looked through http://kb.mozillazine.org/Password_Manager? There's a number of article links in it. The key should be in key3.db behind the master password, if needed. You'll need a way to handle the password.
Have a look at this post about the encryption.
Guid is some kind of unique ID, generated somehow :)
There are some backup/decryption etc programs available. Instead of rtfs of FF, you might have a look at those.

Related

How Facebook generate unique identifiers

I am looking for the way for generating unique identifiers for different business entities in project I am working on. Currently we are using GUIDs, but we want to move to number identifiers. I have worked with Facebook Graph API and figured out they have some kind of unique and self-contained (as I supposed) ids. But I could not find any information or assumptions in the Internet about how they generate this keys.
I formulated some minimum requirments for identifiers based on my suggestions and investigation of Facebook ids. Here they are:
It must be presented as long / Int64 value.
It must be unique in scope of whole system.
It must contains as minimum type of requesting entity (user, page, etc.). So that it gives possibility to create Ņonvenient API like GET {host}/{id}.
Does anybody have any experience or ideas how can this task can be solved? I guess there should be some existing solutions or specifications for it. If anybody has some suggestions it would be great to hear that.
Ok, the answer for me was Twitter Snowflake. Also you can find some interesting useful information here: Sharding & IDs at Instagram. Hope it helps somebody.

Password storing in 2017

So I'm working on my own website with my login system.
I am working on the password storing part and have been looking at a couple of youtube videos where peoples tell me not to use things like md5 because it's outdated.
I looked at the video Tom Scott made about how NOT to store passwords and he told us to look up a recent tutorial on how to do it properly.
For my project I really need to store the passwords myself and not use anything like Facebook or Google for logins.
I looked at a lot of websites and questions here on Stack Overflow but can't seem to find anything from this year where it is all explained.
So now I'm wondering what is the best way in 2017 to store passwords?
Do I need to use a Salt and a Pepper? Maybe something else? And which hashing algorithm is the best at this moment? If possible I'd like to use this within php.
Can anyone help me out with these questions?
Thank you :)
I assume that you just want to store passwords for user authentication, and you asked for a PHP solution explicitely, so the answer must be to use the PHP function password_hash(). This function is up to date and handles all the tricky parts of password hashing.
// Hash a new password for storing in the database.
// The function automatically generates a cryptographically safe salt.
$hashToStoreInDb = password_hash($password, PASSWORD_DEFAULT);
// Check if the hash of the entered login password, matches the stored hash.
// The salt and the cost factor will be extracted from $existingHashFromDb.
$isPasswordCorrect = password_verify($password, $existingHashFromDb);
If you are interested in more indept information, you could have a look at my tutorial about safely storing passwords.

Does anyone know what is the type of this hash?

My friend give me a oracle server 10g, And he's changeling me If I get the password for the DATABASE or change it using SH, The server will be mine
So I've try hard because this is the first time using oracle so when I looked at the server and explore its file I found hash password , Probably will lead me to the password, this file located in this path
Apache/modplsql/conf/dads.conf
And the hash that I found start with this symbol
# a PlsqlDatabasePassword #XXXXXXXXXXXXXXXX
the XXXXXXXXXXXXXXXX= Random letters and numbers
and its end with
==
At the beginning I thought it's sort of BASE64 Encode, And turned out to me its not
So my Question How can decode this hash? Can I get the password clearly?
also how can I modify the password of DATABASE (:
something else, I google it and some of them wrote that oracle web server 9g
using Encode64 .
Best Regard
Probably it's a one-way hash, which means you can't decrypt it.
If you're fortunate your pal won't have deleted the backup version of the dads.conf file (it'll be in the same directory, with a date in the name).
Otherwise, you're stuck in the position of anybody else trying to hack into a database. Guessing or brute force.

md5/hash on vb6?

I'm making a program that has a login. Is there any way to encrypt the normal password so that it can't be read in the data base? I've done a trick but I'm not content with it. What I did was to get the first, mid, and last char only and convert each char into ascii. Is there a way to convert all the text into ascii or something like md5/hash in php?
I'm really sorry about this thing, I haven't mentioned that my project is a VB6 project.
Don't use MD5 to store hashed passwords! See stuff like http://www.freerainbowtables.com/ for reasons why. MD5 is thoroughly broken... Check what you have available in VB6 (I'm hardly a VB6 guy ;-)) in the realm of cryptography. Something based on (salted) password-based encryption stuff is what you want, Google for "vb6 pbkdf2", I see a lot of hits there :)
I have been using a class by Phil Fresle for generating MD5 signatures for strings. You can copy and paste the source to create the class. To use it in your application I suggest storing the hash rather than the password. The class source code can be found here.

Image Upload Service - Image locations and Image Identifiers

I would like to create a image uploading service (yes, i am aware of imageshack, photobucket, flickr...etc) :)
I have seen only imageshack show the directory names ("img294", "1646") of where the image is located, in the same way - i would like to do this.
http://img294.imageshack.us/img294/1646/**jquerykd5**.jpg
1) Are there any security issues I should be aware if i take this implementation?
2) How do these sites come up with short unique identifiers ("kd5")?
Thanks all for any advice and help.
Well for starters, unless you would like the directory to be public, put dummy index.html files in there or just restrict access to public users for those directories.
As for the unique identifiers there are many ways of going about this... some of my favourite chunks of information to use:
UNIX time (if running a unix based server)
chunks of the md5 of the file
pseudo random numbers
piece of the original filename
With these and many other pieces of information at your fingertips it should be easy to prevent duplicate image names conflicting on your server as well, you can gather as many as you like and concatenate them into a string for the filename. The md5 can be placed in a database as well to aid in a method of duplicate image detection, which could save you disk space as well.
I can promise you they all use URL rewriting. This will help with security issues, too.

Resources