The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 2,726 other followers

Archive for the ‘Authentication’ Category

2fa.directory: public list of sites with two factor auth support which includes SMS, email, phone calls, hardware, and software.

Posted by jpluimers on 2022/05/09

List of sites with two factor auth support which includes SMS, email, phone calls, hardware, and software.

[Wayback/Archive.is] twofactorauth at 2fa.directory with GitHub sources at [Wayback/Archive.is] 2factorauth/twofactorauth: List of sites with two factor auth support which includes SMS, email, phone calls, hardware, and software..

Via: [Archive.is] Jilles🏳️‍🌈 on Twitter: “Ik gebruik custom e-mail accounts + 1Password/keepass en MFA; Yubikey, Authy, Authenticator. Geef geen eerlijk antwoord op googlebare security questions. En nog steeds ligt alles op straat. Tip: https://t2fa.directory … “

–jeroen

Read the rest of this entry »

Posted in Authentication, Power User, Security | Leave a Comment »

Bash functions to encode and decode the ‘Basic’ HTTP Authentication Scheme

Posted by jpluimers on 2022/02/24

IoT devices still often use the ‘Basic’ HTTP Authentication Scheme for authorisation, see [Wayback] RFC7617: The ‘Basic’ HTTP Authentication Scheme (RFC ) and [Wayback] RFC2617: HTTP Authentication: Basic and Digest Access Authentication (RFC ).

Often this authentication is used even over http instead of over https, for instance the Egardia/Woonveilig alarm devices I wrote about yesterday at  Egardia/Woonveilig: some notes about logging on a local gateway to see more detailed information on the security system. This is contrary to guidance in:

  • RFC7617:
       This scheme is not considered to be a secure method of user
       authentication unless used in conjunction with some external secure
       system such as TLS (Transport Layer Security, [RFC5246]), as the
       user-id and password are passed over the network as cleartext.
  • RFC2617:
       "HTTP/1.0", includes the specification for a Basic Access
       Authentication scheme. This scheme is not considered to be a secure
       method of user authentication (unless used in conjunction with some
       external secure system such as SSL [5]), as the user name and
       password are passed over the network as cleartext.

Fiddling with those alarm devices, I wrote these two little bash functions (with a few notes) that work both on MacOS and in Linux:

# `base64 --decode` is platform neutral (as MacOS uses `-D` and Linux uses `-d`)
# `$1` is the encoded username:password
function decode_http_Basic_Authorization(){
  echo $1 | base64 --decode
  echo
}

# `base64` without parameters encodes
# `echo -n` does not output a new-line
# `$1` is the username; `$2` is the password
function encode_http_Basic_Authorization(){
  echo $1:$2 | base64
}

The first decodes the <credentials> from a Authorization: Basic <credentials> header into a username:password clean text followed by a newline.

The second one encodes a pair of username and password parameters into such a <credentials> string.

They are based on these initial posts that were not cross platform or explanatory:

  1. [Wayback] Decode HTTP Basic Access Authentication – Stack Pointer
  2. [Wayback] Create Authorization Basic Header | MJ’s Web Log

–jeroen

Posted in *nix, *nix-tools, Apple, Authentication, bash, bash, Communications Development, Development, HTTP, Internet protocol suite, Linux, Mac OS X / OS X / MacOS, Power User, Scripting, Security, Software Development, TCP, Web Development | Leave a Comment »

SVB PGB and DigiD security suddenly logged you out every 15 minutes despite the count down counter indicating otherwise.

Posted by jpluimers on 2021/12/14

From a while back, so I hope it has been fixed by now on the SVB PGB site.

The Dutch SVB (sociale verzekeringsbank, the [WayBack] organisation that implements social security schemes in The Netherlands) has a web-site to submit declarations for PGB ([Wayback] individualised subsidy for care, or personal care budget).

Authentication for the site goes through DigiD, the identity provider through which government related web-sites can verify the identity of Dutch residents on the internet.

In from somewhere in the mid 2010s until somewhere in 2020, the SVB PGB site would log you out when the 15-minute inactivity count-down in the lower right of the screen would reach zero.

After that, the behaviour changed: you would be logged out 15 minutes after logon, forcing one to login way more often. Each logoff/logon cycle had these effets:

  1. loosing the data you entered on the current page
  2. a cost to SVB of about EUR 0.15 excluding VAT for the logon
  3. loss of time and convenience for the end-user

Note that due to site stability reasons in the years before, I already printed each web-page to PDF before submitting, as there was no way to use the “back” button to see what information you had entered.

That way at least I had the information at hand when re-entering the same information. It also provided me of a “paper” trail of site navigation and entered data.

That’s why I reported it early March 2021:

Read the rest of this entry »

Posted in Authentication, Development, DigiD, Power User, Security, Software Development, Web Development | Leave a Comment »

Kristian Köhntopp on Twitter: “Modaler Filter für Veloziraptoren… ” (0 factor authentication)

Posted by jpluimers on 2021/10/08

[WayBack] Kristian Köhntopp on Twitter: “Modaler Filter für Veloziraptoren… “

–jeroen

Read the rest of this entry »

Posted in Authentication, Power User, Security | Leave a Comment »

PassProtect – Chrome Web Store

Posted by jpluimers on 2021/01/25

[Archive.is] PassProtect – Chrome Web Store:

Stop using bad passwords. PassProtect alerts you about breached credentials. Powered by “Have I Been Pwned?”.

Interesting plugin. Will try this soon.

Via:

–jeroen

 

Posted in Authentication, Chrome, Firefox, LifeHacker, Power User, Security, Web Browsers | Leave a Comment »

 
%d bloggers like this: