passwords
password_exposed
passwords | password_exposed | |
---|---|---|
1 | 1 | |
202 | 215 | |
- | - | |
9.8 | 10.0 | |
3 days ago | almost 2 years ago | |
PHP | PHP | |
GNU Affero General Public License v3.0 | GNU Lesser General Public License v3.0 only |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
passwords
-
Nextcloud Hub 3/25 Known App Incompatibilities
Passwords: Clicking on the app does not give you your passwords listing. The sidebar populates properly but no passwords show up. Marius has stated that these are due to styling changes made in Nextcloud 25 and that he has nightly builds that fix it enough to get it working again, however not to expect a stable version with these fixes quite yet. The Chrome extension appears to continue working just fine. Keep track of what is going on here: https://github.com/marius-wieschollek/passwords/issues/534
password_exposed
-
What We Do in the /etc./Shadow – Cryptography with Passwords
> There's another end of all this that I also never see addressed in writeups like this one: lots of users are still really bad at passwords.
Author here.
I was originally planning to write a blog post about my experience reporting cryptography-related bugs to password managers in 2022. (I had findings for LastPass, 1Password, and Keeper.)
My experience with LastPass was abysmal. I wrote a thread about it here: https://furry.engineer/@soatok/109560736140669727
However, I found in my early draft that I spent a lot of time explaining these algorithms, so I decided to spin it off into a separate article. Thus, this post was conceived!
> Readers capable of implementing something like OPAQUE will already have a pretty good handle on most of what's written here. All other developers will just grab whatever "the" off-the-shelf solution is for their language and tech stack, and any recommendations for those are conspicuously absent here. What are the best resources for the most popular tech stacks currently? PHP introduced the password_hash() function (and related functions) in its standard library a while back. It defaults to bcrypt, and most php devs should probably just use those functions, unless they're sure they know better.
I tried to make the post a good balance of fun and informative, but the audience was "people who want to know more about cryptography with passwords" not specifically developers.
As you indicated, if you're developing something, the password_hash() / password_verify() API your language provides is likely 1000x safer than rolling your own anything. If there is to be improvements in the cryptography for a given programming language, it should be an update to whatever the de facto standard library is for that language.
PHP has the password extension built-in. Python has passlib. Node has the crypto module. Etc.
> For a while, some misguided sites tried to prevent people from pasting passwords into their login forms. I have never seen the inverse: a site that prevents users from typing a password. Is there a reason that wouldn't work?
I'm not confident in this, since it's 4:46 AM for me and I should probably be sleeping instead of reading HN comments, but isn't this exactly how Passkey is supposed to work?
Anyway, thanks for your insightful feedback. I already planned a teardown into the reverse-engineered internals of popular password managers and my experiences with them. Because of your comment, I might also make a future blog post targeting developers.
In the meantime, here's some cool stuff:
https://github.com/dropbox/zxcvbn - A reasonable approach to password strength estimation (although I think their calculation needs updating in 2023)
https://github.com/DivineOmega/password_exposed - Checks if a given password has been exposed in a previous breach (uses the HIBP hash database)
What are some alternatives?
workflow_kitinerary - Nextcloud application to automatically convert travel documents into calendar events using KDE itinerary project
random_compat - PHP 5.x support for random_bytes() and random_int()
health - Nextcloud health app
Password-Generator - PHP Library to generate random passwords
vaults - Password manager featuring client-side encryption, vaults, folders and more.
Matomo - Empowering People Ethically with the leading open source alternative to Google Analytics that gives you full control over your data. Matomo lets you easily collect data from websites & apps and visualise this data and extract insights. Privacy is built-in. Liberating Web Analytics. Star us on Github? +1. And we love Pull Requests!
Polr - :aerial_tramway: A modern, powerful, and robust URL shortener
zxcvbn - Low-Budget Password Strength Estimation
sysPass - Systems Password Manager
hn-search - Hacker News Search
Nextcloud - ☁️ Nextcloud server, a safe home for all your data