Develop Reference

basic authentication, when field user admits :

Is it possible to use basic authentication when the username and password fields do not make any restrictions on the type of characters to be used?
Example, could exist a user with the following values:
username: iamThe:User
password: My#Secure:Password
To convert to basic authentication:
concat username:password = iamThe:User:My#Secure:Password
convert to base64 and add to header Authorization: Basic aWFtVGhlOlVzZXI6TXlAU2VjdXJlOlBhc3N3b3Jk
How do I get back the username and password from the following field aWFtVGhlOlVzZXI6TXlAU2VjdXJlOlBhc3N3b3Jk? is there a solution for this?

Custom password hashing function for Cerberus SFTP server

I'm trying to migrate users from our legacy Cerberus SFTP server to a new AWS Transfer Family SFTP server. The problem is most of our Cerberus users have password based authentication and all I have access to is their one-way hashed password. Thus I'm trying to reverse engineer how Cerberus hashes it's password so I don't have to ask our 100+ customers to submit a new password to use or switch to a public key based authentication.
I came across this blog post that I think details how to do it but I can't seem to get it to work for some reason - https://support.cerberusftp.com/hc/en-us/articles/360000040039-Securely-Storing-User-Passwords.
Here are the steps I've taken so far -
created a user in Cerberus with a password of "asdf"
exported my collection of users to a CSV file
identified the hashed password from the export as follows -
{{PBKDF2 HMAC SHA256}}:5000:42ED67592D7D80F03BF3E2413EB80718C5DAFEB5237FC4E5E309C2940DF1DBB2A4ABD9BB63B8AD285858B532A573D9DE
attempted to write a Python script that could hash "asdf" to the same hash as shown above
Here is what my script looks like so far - https://replit.com/#ryangrush/sample.
import hashlib
import base64
password = b'asdf'
salt = b'sample_salt'
combined = salt + password
first = hashlib.pbkdf2_hmac('sha256', combined, b'', 5000)
combined = salt + first
second = hashlib.pbkdf2_hmac('sha256', combined, b'', 5000)
base_16 = base64.b16encode(second)
print(second.hex())
print(base_16)

The documentation must've been written before the v7.0 PBKDF2 HMAC functions were adopted. The salt and the password are now used just as described in the documentation for PBKDF2.
import hashlib
import base64
hashed_password_entry = '{{PBKDF2 HMAC SHA256}}:5000:42ED67592D7D80F03BF3E2413EB80718C5DAFEB5237FC4E5E309C2940DF1DBB2A4ABD9BB63B8AD285858B532A573D9DE'
entry_components_strings = hashed_password_entry.split(':')
password = b'asdf'
iterations = int(entry_components_strings[1])
salt_plus_hashvalue = base64.b16decode(entry_components_strings[2])
hash_len = 256 // 8
salt, hashvalue = salt_plus_hashvalue[:-hash_len], salt_plus_hashvalue[-hash_len:]
hashvalue_test = hashlib.pbkdf2_hmac('SHA256', password, salt, iterations)
print(hashvalue_test.hex())
the output is c5dafeb5237fc4e5e309c2940df1dbb2a4abd9bb63b8ad285858b532a573d9de which you can see matches the hashed value that is at the end of entry.

Can the password in HTTP Basic be optional?

I'd like to use HTTP Basic auth to do password-less authentication between trusted services in a private network. Is it acceptable to leave out the password field entirely when using Basic auth? Is there a better authentication mechanism I should research?

RFC 2617 defines them as
user-pass = userid ":" password
userid = *<TEXT excluding ":">
password = *TEXT
and * in the ABNF means "0 or more."
Meaning the userid and password can be empty, in which case : is encoded into Base64.

In HTTP Basic auth, the username and password are concatenated using a colon then encoded in base64 and the resulting header looks something like:
Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ==
The Basic part specified basic authentication and the second part is the base64 encoded token. It doesn't have to be a username/password combo, but can just be a username with a blank password, or a username alone. You just have to be aware of that when decoding the authorization header.

How to pass username and password in authorization field?

In unrealscript, I'm attempting to connect to server using a TCPLink client I wrote. I can connect to the domain, but when I attempt to access a welcome message I receive a 401 error. What am I doing wrong in my authorization field?
Note: username and password are plain-text string variables filled in by the user
SendText("GET /crud/welcome HTTP/1.0"$chr(13)$chr(10));
SendText("Host: "$TargetHost$chr(13)$chr(10));
SendText("Authorization: "$USERNAME$":"$PASSWORD$chr(13)$chr(10));
SendText("Connection: Close"$chr(13)$chr(10));
SendText(chr(13)$chr(10));

You may want to read RFC 2617.

advantage of md5+salt in asp.net application

I have a question about how to use md5 and a salt to secure a password, I have already made many searches for answers to my questions.
An article I saw was using c# to convert password to md5 string, something like this:
public static string md5(string <b>sPassword</b>)
{
System.Security.Cryptography.MD5CryptoServiceProvider x = new System.Security.Cryptography.MD5CryptoServiceProvider();
byte[] bs = System.Text.Encoding.UTF8.GetBytes(sPassword);
bs = x.ComputeHash(bs);
System.Text.StringBuilder s = new System.Text.StringBuilder();
foreach (byte b in bs)
{
s.Append(b.ToString("x2").ToLower());
}
return s.ToString();
}
}
My question is the above code seems server side is its mean password traveling over internet in plain text doesn't it create any security issue or it does not matter i don't know (may be i am getting it wrong way or i am not clear about password security concept) ?
What i have done in my project is i am creating a secure password at client side with java script md5.js file and with user's entered password before posting login.aspx form back to server then at server side i am fetching hashed password of user from database(which was stored at the time of registration of user with same technique) and match both client side and server side hashed passwords if they match user authenticated.
i don't know weather i am doing it right way or not please let me know right way if i am wrong .
Now the problem is i want to use SALT with the md5 (md5+salt) to make password more secure with Randomly generated salt string. how to do this should i make a random salt string at server side while page_load of login page and then send it to client side and at client mix this salt with user password before posting form. after post again mix the password(fetched from database) with same random string and match both password to authenticate.
One more question, at the time of registration of a new user, where should originally user entered password convert in md5 at client side or server side if at server side then password should post to server as it is means original password.(like "MyPassword")

Firstly you should be aware that SHA1 is now industry standard, but it's still fine to use Md5 for most things.
Secondly to stop plain text transmitting over the public network, use an HTTPS connection (you may need to purchase a certificate from a recognised vendor).
Also if this is for a user system, consider using ASP.net's membership system. It does this all for you and has been extensively reviewed.
The basic flow of what you describe anyway would be:
User enters password
Server generates random salt
Hashed password = md5(salt + raw password)
Store hashed password and salt along side username, dispose of raw
When user logs in, find the associated salt with the username login is being attempted for.
Is password valid = does md5(salt + entered password) = store hash?
If they do, login
Once they have logged in, it might be a good idea also to regenerate a new salt and hash. Also the md5() should be applied to the password thousands of times before storing to make a dictionary attack uneconomical.
There are plenty of resources out there that go into this in more detail.
Good luck!