It's Quiz Time Activation Code [Password]
Karren Katon
I'm writing a small Python script which will periodically pull information from a 3rd party service using a username and password combo. I don't need to create something that is 100% bulletproof (does 100% even exist?), but I would like to involve a good measure of security so at the very least it would take a long time for someone to break it.
This script won't have a GUI and will be run periodically by cron, so entering a password each time it's run to decrypt things won't really work, and I'll have to store the username and password in either an encrypted file or encrypted in a SQLite database, which would be preferable as I'll be using SQLite anyway, and I might need to edit the password at some point. In addition, I'll probably be wrapping the whole program in an EXE, as it's exclusively for Windows at this point.
This one is the simplest, so it might be a good place to start. It's described well in the Twelve Factor App. The basic idea is that your source code just pulls the password or other secrets from environment variables, and then you configure those environment variables on each system where you run the program. It might also be a nice touch if you use default values that will work for most developers. You have to balance that against making your software "secure by default".
After looking though the answers to this and related questions, I've put together some code using a few of the suggested methods for encrypting and obscuring secret data. This code is specifically for when the script has to run without user intervention (if the user starts it manually, it's best to have them put in the password and only keep it in memory as the answer to this question suggests). This method isn't super-secure; fundamentally, the script can access the secret info so anyone who has full system access has the script and its associated files and can access them. What this does do id obscures the data from casual inspection and leaves the data files themselves secure if they are examined individually, or together without the script.
I recommend a strategy similar to ssh-agent. If you can't use ssh-agent directly you could implement something like it, so that your password is only kept in RAM. The cron job could have configured credentials to get the actual password from the agent each time it runs, use it once, and de-reference it immediately using the del statement.
There's not much point trying to encrypt the password: the person you're trying to hide it from has the Python script, which will have the code to decrypt it. The fastest way to get the password will be to add a print statement to the Python script just before it uses the password with the third-party service.
Note that the quiz is open by default. In other words, if no opening and closing date is specified, i.e. if the Enable check boxes are not checked, the quiz is accessible at all times. If only an opening date is specified, the quiz is available at all times after this date. If only a closing date is specified, the quiz is available at all times until that date.
If you select "There is a grace period..." then you can check the box to enable the "Submission grace period" and specify a period of time during which learners may still submit the quiz after the time is up.
If you're getting confusing error messages about a boundary being out of sequence (when it's obviously *in* sequence), or "boundaries must be between 0% and 100%" (and they are) -- check that the Maximum Grade for this quiz is set to something greater than zero.
This is very useful for schools where many students in many different groups wil have to answer the same quiz at different times and students have a tendency to share quiz passwords. You can set a different password and a different time frame for the quiz for each group and thus lower (a little) the risk of students cheating.
User overrides are very useful when you need one exception (or a few) for an activity. For example, one student will have a doctor appointment the same day all the group must sit for a summative test; you decide to give the student a chance to take the test one day before all students. Only that particular student will be able to open the quiz that day, using a quiz password that is different from the password that will be used for all the other students the following day.
This message warns you that although you have extended the "Cloze the quiz" time to 15:15 for the student, the quiz will in fact be inaccessible for him after 15:00 due to the Restrictions in the quiz settings. The only way for the student to access the quiz after 15:00 is to remove the "until" date restriction in the quiz settings or change it to "until" 15:15. (Note that there seems to be a bug that if a "from" date restriction in the quiz settings is not specified, the warning message in the override is not displayed.)
The time period settings for a quiz (such as time limit, submission grace period, autosave period and so on) can be set here with a duration of seconds, minutes, hours, days or weeks. These defaults will then be used when new quizzes are created.
When you registered for a personal my Social Security account, you identified either your email address or cell phone number as your second factor for authentication. Each time you sign in to your account, we send you a one-time security code to either the email address or cell phone number you provided when you registered for your account. You will need access to that second factor as you go through the steps to reset your account password.
Possible answer:
Sometimes they realize they loaned their account to a friend who couldn't remember his/her password, and the friend did the printing. Thus the charges. It's also possible that somebody came in behind them and used their account.
This is an issue with shared or public computers in general. If you don't log out of the computer properly when you leave, someone else can come in behind you and retrieve what you were doing, use your accounts, etc. Always log out of all accounts, quit programs, and close browser windows before you walk away.
One-time password (OTP) systems provide a mechanism for logging on to a network or service using a unique password that can only be used once, as the name suggests.
One-time passwords (aka One-time passcodes) are a form of strong authentication, providing much better protection to eBanking, corporate networks, and other systems containing sensitive data.
Robust authentication systems address the limitations of static passwords by incorporating an additional security credential, such as a temporary one-time password (OTP), to protect network access and end-users' digital identities.
I have heard from different people and in different places that if I send an encrypted file to someone else, I should send them the password in a separate email; but why? If someone is sniffing, they will capture both and if the inbox is compromised, they will capture both. But apparently, it's "best practice" to send it separately.
Take another case where the receiver's inbox is 'compromised'; when does the attacker actually steal the information? If an attacker steals the password and file immediately but it takes time to tie the two together, then the information may become obsolete and thus inactionable.
If you no longer have access to the device or email address where you receive your one-time verification code (for example, if you got a new phone or your email address changed), you can log in to your account by entering your usual email address and password.
Then, instead of entering the one-time verification code, enter your backup code. We gave you this backup code when you set up your USCIS online account. You would have seen an image like the one on the right. This is an example; not your real backup code.
Anytime you connect your case information to a new account. When you use ACCESS HRA, you can view your HRA cases or applications from the past 12 months by connecting your case or application information to your username. Once you connect to your case or application, you can always view the information again later by logging in with the same username. You'll need to use MFA if you forget your username and try to create a new one. Once you create a new account and connect to your case information, we will ask you where you want us to send your one-time code to make sure it's really you.
ACCESS HRA one-time passcodes are valid for 20 minutes. After 20 minutes, that specific one-time passcode is no longer valid, and the user must request a new one. There is no limit to how many codes a user can request, but after 5 unsuccessful attempts, users will need to wait 15 minutes before requesting a new code.
Probably more important than setting the reset-window time, is ensuring your ping their SMS or other '2nd factor' when resetting. This is important in case someone else is trying to reset to break in. Consider that you can ping their 2nd factor (e.g. SMS) interactively, so that if they respond with 'freeze', or similar, then then you can immediately disable the password reset code.
Whenever you sign in with your Apple ID on a new device or browser, you'll confirm your identity with your password plus a six-digit verification code. There are a few ways you can get a verification code. You can use the code displayed on your trusted device, get a text or phone call, or generate a code from your trusted device.
*The notification might include a map of the approximate location of the sign-in attempt. This location is based on the new device's IP address and might reflect the network that it's connected to, rather than the exact physical location. If you know that you're the person trying to sign in but don't recognize the location, you can still tap Allow and view the verification code.
Use the "Forgot your password?" link on the LaTAP welcome screen. Follow the online instructions to choose a new password. Upon completing these steps an email will be sent to your email address with a new authorization code that will be required the first time you use your new password. If you did not provide an email address when you registered for LaTAP the first time you will have to wait to receive the authorization code in the mail.
aa06259810