It seems there is a way to reset the Admin password for a ColdFusion installation. What are the potential pitfalls to be aware of before doing so?
Generally very few pitfalls to changing the password.
Changing the -- I'm assuming in your case -- only password for ColdFusion Administrator will have the following impact:
Prevent anyone else who has the password from accessing the Administrator (duh!)
Break any code that uses the adminapi to programmatically control datasources, mappings, etc.
The first is probably not much of a concern I'm assuming.
The second probably only a small concern. Very few ColdFusion applications use the adminapi since its easier to use the GUI admin! If you do a search on the code for "adminapi" you can find out if it will effect your applications.
Related
Protecting against piracy when developing desktop applications through product keys, obfuscation, or similar client-side protections is pointless (plenty of stackoverflow posts regarding that). The only real way to prevent piracy is to create a client-server communication where important code is only on the server.
That's what I'm attempting to do with my software, require a login in order to authenticate requests to the server to process some data. Throw in an easy way to change the password and IP session tracking and it's pretty foolproof. However, now the user must enter a username and password when they want to use it, and they could enter someone else's credentials very easily.
Then thought then crossed my mind, what about embedding the username within the application when a user downloads the client software? Only a password would be required from the user's point of view, speeds things up a bit. Yes it's still possible to edit the program to someone else's username, but now it's less obvious.
So that's my question, are there any security risks or design flaws with having the username hard coded into the program? And secondly, how does one begin to implement the username embedding and C++ compilation on say... a Node js server application?
Thanks for your time.
You're missing the point of server-hosted software, and that's this:
You always have control over the server. You never have control over the client.
So when you say:
the user must enter a username and password when they want to use it, and they could enter someone else's credentials very easily
What you really mean is:
When someone enters someone else's credentials what can I do?
The answer to that is to limit or cancel access for credentials depending on access patterns. If you see suspicious access, like coming from IPs in different countries, you may want to investigate and possibly ban the account.
You're not powerless here when you control the server. Lock people out if you must.
You also don't want to embed information in the executable because legitimate owners, your customers, will want to verify they downloaded the right file based on a cryptographic hash like SHA2. If you modify each file they can't do this, and every version looks "hacked".
Instead, if you must, create some kind of encrypted access or license file that can be supplied to the server and decrypted with a key that's only stored on the server. Sure, they can share that file with someone else, but you can identify the unauthorized access and handle it accordingly.
I'm writing C++ desktop application that allows users to sign in on some web service. By technical requirements, user can check 'remember me' checkbox and after he close app and run it again, app should re-sign in with email and password user input first time.
I know that it is not safe and strongly not recommended to store passwords on disk but i have no idea how to remember user's password in safe way. Is there any best practices or advices for such case?
Note: my application is for Windows/Ubuntu/MacOS so it will be cool to know about OS-independent ways. My app is C++11/Qt5.4 based.
The way that you're supposed to implement this kind of design is to issue the user a SessionID that is stored locally, and which is used to authenticate and access their specific interface. Then, if they wish to log in again at a later time, simply use the stored SessionID, and if they wish to log in as someone else, clear the SessionID and then log them in like normal, issuing a new SessionID. That way you aren't storing sensitive information on their computer.
I'm looking at scripting parts of my workflow, which involves interacting with some web-services via SOAP and XML-RPC queries. I'm scripting using bash and python.
I need to authenticate against these web services, and I'd ideally like to do so
without having to type in my password for every request (typing it once per login would be fine)
without hardcoding it in my scripts
without storing it in plain text anywhere on disk
in a way which isn't specific to one flavour of Unix
The OS X keychain (via the 'security' command) is one possible solution for the Mac OS X case, but there are issues with using it from a script as noted in a related question, and I'm hoping for a more general solution.
I'll have a go at answering my own question.
I could do either or these, or a combination of both:
Store the password in a file with 600 permissions on an encrypted partition
Store the password in a file encrypted with a passphrase, and read that passphrase into an environment variable interactively, once for every shell I'll be calling the script from
Combining these approaches seems sufficiently paranoid.
I'm trying to wrap my head around your architecture, so I'm not sure which thing you are trying to authenticate. Are you trying to:
- check the web service caller
- check the web service provider
- both
And is the thing being authenticated a human using a program or the server itself?
And do you have to pass the service calls around and authenticate them at multiple points or is this strictly point to point?
And what is your assessment of risk? What bad stuff is the authentication preventing?
If you do your proposed #1, your authentication problem moves from the message to the server - if your server is physically protected and your authetication credentials to the OS are "strong enough" you're probably decently protected in where you've stored the password.
I'm confused on #2 - if you are reading in the passphrase interactively, why not read in the password interactively and not store the password at all? If the passphrase unlocks the password, handling the passphrase should be as careful as if you are handling the password.
The bigger concern with any password is where is it going, and how is it protected along the way. Using passwords within the web service will be risky if you are sending your web service messages in the clear. Also where are passwords checked on the other end, and how are they distributed to the server for storage for #1 and #2? This is just stuff to consider for any password based authentication mechanism.
Also - how often should passwords be changed and do you have a procedure for it?
And how much do you repeat the password? If you have exactly one password shared across every machine, the risk is much higher than a different password for each server/script or user, since you can disable them one at a time.
Maybe a technique like ssh-agent.
I want to get the various user account passwords which are stored in my computer programatically using Visual C++. Are there any APIs to help me do this?
There is no way to retrieve windows passwords nor passwords to most other programs via Win32 APIs.
For Windows passwords you typically have to ask the user to enter their username/password and verify it, all by using LogonUser.
For other programs they are usually stored on disk encrypted by the host application.
This is most definitely not allowed on Windows.
Consider the consequences of letting any given program obtain passwords. That would mean that programs like Solitaire would be able to get your password and use it in any number of nefarious ways. Worse, the program could use the password to access other machines in resources.
In short, it would throw security out the window
No. That would be a security hole. See this article.
It depends what passwords are you trying to get?
Some passwords can not be retrieved, like the Windows login passwords. Some other password are stored (plain or encrypted) somewhere in the disk or registry, depending on how the application stores them.
The Win32 API CredEnumerate, for example, can give you the user credentials (login and password) for some of the applications (Internet explorer passwords, ... etc).
You can only recover the hashed password, not the password itself.
I have no personal experience with this but I was once told that there are utilities out there (usually found on .ru sites ;)) that will do this sort of job for you. And that it's appalling to see how this happens, makes you paranoid. I can't however suggest a particular tool for doing this, but would like to oppose to all those that keep saying it's not possible.
Why don't people use CFLOGIN? I remember having problem with it with CF7 some months ago, but I couldn't remember what was wrong with it.
I use cflogin all the time and it works great. It can be a little tricky to get working the way you like, but the benefits are huge. Being able to fine tune your application with user roles takes care of the bulk of my rights based customization. There used to be some issues with session management that made it difficult to work with. Turning on j2ee sessions seems to make most of those issues go away.
Some of the popular frameworks are not compatible with cflogin, so that might be one reason you don't see a lot of it. They tend to have their own approach to securing application features.
I think a lot of people get frustrated with it because it is a little quirky and they give up on it. Others have more complicated security needs that aren't addressed completely by cflogin, so they wind up writing their own system. Specifically, there isn't an easy way to deal with rights by content asset.
The only issue I've had is with roles in CF8. It's brilliantly implemented, and a little cruel that it doesn't work as it quite should. Maybe in CF9.
In any event, building your own roles based system (assign the user a session variable with a comma separated list of access levels that the system can check against) isn't too hard to do and I got over it.
The one nice thing about cfLogin that is probably still worth using is how it ties into the Server monitor to see how many people are logged in, etc.
The point above about using the jsession is true, it's worth doing in all cf apps. One of the best things I dragged myself through to get working how I wanted it.
CFLogin is not used for 3 reasons.
First, it's a little touchy, a little strange, and doesn't work how many would think. You put some code here, and if a user isn't logged in it runs it... that's just odd, you know? It didn't help that there were some bugs early on, either.
Second, while it has the basic required security features for a web application, it doesn't go any further. You can't really extend it easily. Who's to say that's how everybody wants it?
Third, and most realistically, it's because people have already solved that problem. The problem area of securing an application, authentication and authorization has been thought out in the community long enough and most people know how to just do it. CFLogin is reinventing the door. It is too little, too late.
Now, that's not to say that no one uses it. I personally have used it a few times with basic success, but no reason to ring a bell. For most of my applications, it makes more sense to not use CFLogin. The problem domains are this way or that, and CFLogin doesn't always solve it in the most intelligent way.
Do keep in mind that CFLOGIN has a catch with Basic HTTP Auth where it can continue to send its UserID and Password even after you have called CFLOGOUT.
I know this has driven some advanced users away from it.
Here is an excerpt from LiveDocs
Caution: If you use web server-based
authentication or any form
authentication that uses a Basic HTTP
Authorization header, the browser
continues to send the authentication
information to your application until
the user closes the browser, or in
some cases, all open browser windows.
As a result, after the user logs out
and your application uses the cflogout
tag, until the browser closes, the
cflogin structure in the cflogin tag
will contain the logged-out user's
UserID and password. If a user logs
out and does not close the browser,
another user might access pages with
the first user's login.
In my case (suppose for some other people too) the main reason is moving from other platform, say PHP. I mean that I've already got some knowledge and habits in ACL development and started using them in CF.
I know how to make it handy for user, flexible for developer and secure and don't really need to switch to cflogin.
Sometimes the same happens with other stuff, say in most cases I prefer to implement client-side validation using own JS instead of using cfform/cfinput.
Because it (still!) has serious bugs, like this one:
http://www.raymondcamden.com/index.cfm/2009/8/7/Watch-out-for-this-CFLOGIN-Bug