Major actors are pushing for passwordless authentication in supporting FIDO2. Web browsers starts supporting WebAuthn, an API to support device authentication. Instead of using a username/password, you just need to connect a device such as a YubiKey. However, this authentication method is not very popular at the moment. So, you still have to deal with passwords for at least a few years 😦 And good…[read more]

There are lots of example of projects which contains secrets in the source code. A secret can be a password, a server configuration, tokens to connect to a server, a certificate, etc. You can search for "Remove password" on GitHub to find more than 400k commits. These secrets may be used for deploying the application or connecting to an external service. Note: If you discover a password in your code,…[read more]

There are 3 common ways to authenticate someone: Something you know, such as a login/password or security questions Something you have, such as a smart card, a cell phone, an ID, etc. Something you are, such as a fingerprint or other biometric methods In the previous posts, I've written a lot about authentication using passwords (Something you know). If you want to add more security, you must ask for a…[read more]

Many websites require users to log in to access their resources. From a user point of view, the login process can be complicated, and it's even more complex when there are multiple ways to authenticate: login/password or using a social provider (Microsoft, Google, Facebook, etc.). For instance, some users enter their Google credentials in the Username/Password form instead of clicking the Google button,…[read more]

I've written a lot about storing passwords in an application. This is the role of the developer to ensure there are no security issues in the storage of the passwords. However, this is the responsibility of the user to choose a password that won't be easy to break. I think you have all read this from xkcd: Creating a good password is not an easy task. And creating one different password for every website…[read more]

If you store your music files as flac and you own an iPhone or an iPad, you know your phone cannot read these files with the Music application… Indeed, Apple uses their own format to store music: ALAC. In order to play your music on your device, you need to convert the files from FLAC to ALAC. I haven't found a good guide for a free solution on the internet to do that, so I've made my own 😃 Note: If you…[read more]

In the previous post, we discovered how to store a password on Windows using the Credential Manager. Today, we'll see the other part of the API with allows the user to enter their password. This API allows asking for a username/password for a console application or a GUI application. Optionally, they can save the password in the Credential Manager, so the next time the passwords are read directly from the…[read more]

In the previous post, I wrote about storing a password in order to be able to authenticate a user. In this post the idea is to store a password on the local machine to avoid entering it every time. For instance, you don't want to always enter your credentials everytime you use OneNote. So, you need to save the password and be able to read it later. If you remind my previous post about cryptography, you…[read more]

Users are humans, so they have memory problems like everyone. Thus, they happen to forget their password from time to time. The purpose of this article is to show how to give them back access to your application. If it's not clear, the post is about what to do when a user clicks on the submit button on this page: ❌ Resend password by email If you are considering this solution, you are not storing…[read more]

A password is a very sensitive piece of information. It allows a user to authenticate on an application. You should not store it like any other data. We often see news indicating that passwords have leaked. This has happened to LinkedIn, Adobe, 500px and unfortunately many more. So you have to make sure that such incidents cannot happen in your applications. Indeed, you are responsible for your data. In…[read more]