Highest Voted Questions - IT Security Stack Exchange

297

votes

7 answers

What's the rationale behind Ctrl-Alt-Del for login

Why is Ctrl+Alt+Del required at login on certain Windows systems (I have not seen it elsewhere, but contradict me if I'm wrong) before the password can be typed in? From a usability point of view, it's a bad idea as it's adding an extra step in…

asked Apr 28 '13 at 13:10

Count Zero

2,919
3
18
14

296

votes

6 answers

How does Google know where I am?

Whenever I open the Google Maps app on my Android mobile phone, Google always seems to know my location, and it is very accurate (usually it places me on the map even in the correct room). Also, this happens even if both WiFi adapter and GPS are…

asked Sep 21 '16 at 14:58

MNLR

2,247
4
12
10

286

votes

11 answers

Why shouldn't we roll our own?

Why shouldn't we create our own security schemes? I see a lot of questions around here about custom crypto and custom security mechanisms, especially around password hashing. With that in mind, I'm looking for a canonical answer, with the following…

asked Aug 06 '12 at 15:18

Polynomial

135,049
43
306
382

281

votes

3 answers

How did "tech-supportcenter" phishers trick Google?

Related: Is the Web browser status bar always trustable? How can Google search change the location in a URL tooltip? I've always thought you can "hover" over a link to see where it really goes, until today. A coworker (working from home) searched…

asked Jun 02 '17 at 18:21

browly

2,100
2
14
21

281

votes

3 answers

What are ssh-keygen best practices?

Most users would simply type ssh-keygen and accept what they're given by default. But what are the best practices for generating ssh keys with ssh-keygen? For example: Use -o for the OpenSSH key format rather than the older PEM format (OpenSSH 6.5…

asked Nov 24 '16 at 05:17

Tom Hale

3,005
3
11
12

270

votes

7 answers

Password Hashing: add salt + pepper or is salt enough?

Please Note: I'm aware that the proper method for secure password storage hashing is either scrypt or bcrypt. This question isn't for implementation in actual software, it's for my own understanding. Related How to apply a pepper correctly to…

asked Apr 22 '11 at 09:53

Jacco

7,672
5
33
54

268

votes

7 answers

Should I use CSRF protection on Rest API endpoints?

Quick note: this is not a duplicate of CSRF protection with custom headers (and without validating token) despite some overlap. That post discusses how to perform CSRF protection on Rest endpoints without discussing if it is actually necessary. …

asked Aug 03 '17 at 18:41

Conor Mancone

31,265
13
94
100

267

votes

4 answers

How does Google Authenticator work?

Google Authenticator is an alternative to SMS for 2Step verification, installing an app on Android where the codes will be sent. It works without any connectivity; it even works on plane mode. This is what I don't get. How is it possible that it…

asked May 01 '13 at 15:24

user15194

262

votes

7 answers

How do certification authorities store their private root keys?

Knowledge of a CA private key would allow MitM attackers to transparently supplant any certificates signed by that private key. It would also allow cyber criminals to start forging their own trusted certificates and selling them on the black…

asked Dec 03 '12 at 14:12

lynks

10,647
5
30
54

260

votes

11 answers

How to explain Heartbleed without technical terms?

Most of my friends who are not experienced in computers want to know what Heartbleed is and how it works. How would one explain Heartbleed to someone without a technical background?

asked Apr 10 '14 at 05:21

user36976

3,243
4
16
22

259

votes

12 answers

Why are hash functions one way? If I know the algorithm, why can't I calculate the input from it?

Why can't a password hash be reverse engineered? I've looked into this ages ago and have read lots on it, but I can't find the explanation of why it can't be done. An example will make it easier to understand my question and to keep things simple we…

asked Feb 14 '12 at 11:09

Mucker

2,707
3
15
3

256

votes

5 answers

Consequences of the WPA2 KRACK attack

Today new research was published on vulnerabilities in wireless network security called Krack. What are the real-world consequences of these attacks for users and owners of wireless networks, what can an attacker actually do to you? Also is there…

asked Oct 16 '17 at 09:32

Rory McCune

62,266
14
146
222

256

votes

5 answers

Is the save button delay in a Firefox download dialog a security feature? What does it protect?

When I click to download a file through Firefox, a dialog window appears asking me whether I want to save the file somewhere or open it immediately once downloaded. The OK button in the dialog window starts disabled, and doesn't enable until the…

asked Mar 21 '16 at 06:32

Numeron

2,485
3
16
19

255

votes

8 answers

Why are salted hashes more secure for password storage?

I know there are many discussions on salted hashes, and I understand that the purpose is to make it impossible to build a rainbow table of all possible hashes (generally up to 7 characters). My understanding is that the random salted values are…

asked Feb 20 '14 at 20:58

user40448

254

votes

4 answers

What is the difference between authorized_keys and known_hosts file for SSH?

I am learning the basics of SSH protocol. I am confused between the contents of the following 2 files: ~/.ssh/authorized_keys: Holds a list of authorized public keys for servers. When the client connects to a server, the server authenticates the…

asked Sep 26 '12 at 12:03

Ankit

2,763
4
16
10

Most Popular