Highest Voted Questions - IT Security Stack Exchange

40

votes

8 answers

Isn't "Dave's protocol" good if only the database, and not the code, is leaked?

I've read "Is my developer's home-brew password security right or wrong, and why?", but there's still a question in my mind: Even if someone uses a bad, home-brewed security algorithm just like Dave, an attacker can't get the real password if the…

asked Jul 01 '19 at 08:49

Rick

1,037
1
9
24

40

votes

2 answers

How should an application store its credentials

Context When developing desktop applications, you will occasionally have to store credentials somewhere to be able to authenticate your application. An example of this is a Facebook app ID + secret, another one is MySQL credentials. Storing these…

asked Sep 17 '12 at 17:50

Zar

502
1
4
7

40

votes

5 answers

How should source code security be checked?

How to check whether the source code of an open-source project contains no malicious content? For example, in a set of source code files with altogether 30,000 lines, there might be 1-2 lines containing a malicious statement (e.g. calling curl…

asked Oct 26 '18 at 12:37

tonychow0929

2,257
3
14
14

40

votes

6 answers

Is it safe to store 2FA tokens together with passwords in 1password?

I'm using 1password and I've seen 1password allows you to store 2FA tokens in the same place where you store the password. I don't like the idea of having everything in the same place as if someone steal my 1password password it could access to my…

asked Sep 20 '18 at 12:15

Pau Chorro

503
1
4
6

40

votes

3 answers

How to safeguard physical keys stored in a fire dept. lockbox?

The workplace has a physical access key stored in a fire department lockbox (sometimes called a Knox Box), how it's possible to mitigate the risk that the Knox Box gets picked, or that an unauthorized key may exist? What could the local fire…

physical-access

asked Apr 17 '18 at 14:49

jth

726
6
10

40

votes

2 answers

ssh-keygen: What is the passphrase for?

When using ssh-keygen: What is the passphrase for? Why is it optional? What are the security implications of specifying (or not specifying) one? Below is an excerpt taken from a shell session (some details may have been altered): user@localhost:~$…

asked Apr 13 '18 at 11:03

voices

1,779
8
23
36

40

votes

7 answers

Does password protecting an archived file actually encrypt it?

For example if I use WinRAR to encrypt a file and put a password on the archive how secure is it? I keep a personal journal and am thinking of doing this, or is there a better way? It's just one huge .docx file.

file-encryption

asked Aug 08 '12 at 09:05

Celeritas

10,187
24
85
148

40

votes

6 answers

Which parts of a credit card can I obfuscate and still have it be valid

I was recently the victim of credit card fraud and I suspect it is from a merchant somewhere keeping track of my credit card details. I cancelled the card and received a new one, but I would like to make it as difficult as possible for criminals in…

asked Feb 17 '18 at 11:53

8bitme

503
1
4
6

40

votes

1 answer

How does OpenSSL generate a big prime number so fast?

In order to generate a 2048 bit RSA key pair, you need to generate two big prime numbers with 1024 bits length. As far as I know, OpenSSL chooses a random 1024 bit number and starts looking for a prime number around it. How can OpenSSL check if the…

asked Dec 31 '17 at 01:19

user167246

401
1
4
3

40

votes

2 answers

How does RSA encryption compare to PGP?

On this answer, cjk says RSA and PGP are different. What you are essentially asking is how do I run my petrol car on diesel? The answer is you can't. I would be interested in a more detailed comparison between the two, why they are different, and…

asked Jan 19 '11 at 22:26

makerofthings7

50,918
55
261
556

40

votes

4 answers

Is demanding a "donation" before disclosing vulnerabilities black hat behavior?

We have been contacted by an "independent security researcher" through the Open Bug Bounty project. First communications were quite OK, and he disclosed the vulnerability found. We patched the hole and said "thank you", but declined to pay a…

asked Oct 30 '17 at 10:14

Jacco

7,672
5
33
54

40

votes

8 answers

Why do password strength requirements exist?

Password strength is now everything, and they force you to come up with passwords with digits, special characters, upper-case letters and whatnot. Apart from being a usability nightmare (even I as a developer hate it when a website requires a…

asked Jun 25 '12 at 10:54

Bozho

1,223
1
11
12

40

votes

3 answers

How do hacking groups register domains remaining anonymous?

Let's take lulzsec as an example; they registered lulzsecurity.com. There are two problems that I don't understand how they solved: They had to pay for it. Tracking down money is generally much easier than tracking down IP addresses. I assume they…

asked Jun 25 '12 at 13:00

Andreas Bonini

591
1
4
10

40

votes

6 answers

Why is external access to a server via SSH considered insecure?

I recently had a conversation with my boss and an IT contractor that they use. My request to allow outside access to a machine on the network via SSH was denied on the grounds that SSH is insecure. I asked for an explanation and unfortunately did…

asked Mar 25 '17 at 04:52

user142998

40

votes

11 answers

Returning the wrong HTTP response code on purpose?

I'm writing a simple REST API, and I want to restrict access to my mobile-client only. In other words, I'm trying to prevent a malicious user from e.g. using curl to make an unauthorized POST request. Of course, this is impossible. However, there…

asked Feb 08 '17 at 18:25

Miles

511
1
4
6

Most Popular