Most Popular

1500 questions
1275
votes
22 answers

XKCD #936: Short complex password, or long dictionary passphrase?

How accurate is this XKCD comic from August 10, 2011? I've always been an advocate of long rather than complex passwords, but most security people (at least the ones that I've talked to) are against me on that one. However, XKCD's analysis seems…
Billy ONeal
  • 2,688
  • 4
  • 16
  • 15
1269
votes
3 answers

How does SSL/TLS work?

How does SSL work? I just realised we don't actually have a definitive answer here, and it's something worth covering. I'd like to see details in terms of: A high level description of the protocol. How the key exchange works. How authenticity,…
Polynomial
  • 133,763
  • 43
  • 302
  • 380
931
votes
11 answers

How to securely hash passwords?

If I hash passwords before storing them in my database, is that sufficient to prevent them being recovered by anyone? I should point out that this relates only to retrieval directly from the database, and not any other type of attack, such as…
AviD
  • 72,708
  • 22
  • 137
  • 218
870
votes
14 answers

What technical reasons are there to have low maximum password lengths?

I have always wondered why so many websites have very firm restrictions on password length (exactly 8 characters, up to 8 characters, etc). These tend to be banks or other sites where I actually care about their security. I understand most people…
enderland
  • 8,011
  • 3
  • 13
  • 14
661
votes
4 answers

Do any security experts recommend bcrypt for password storage?

On the surface bcrypt, an 11 year old security algorithm designed for hashing passwords by Niels Provos and David Mazieres, which is based on the initialization function used in the NIST approved blowfish algorithm seems almost too good to be true.…
Sam Saffron
  • 6,695
  • 3
  • 14
  • 11
622
votes
23 answers

How does changing your password every 90 days increase security?

Where I work I'm forced to change my password every 90 days. This security measure has been in place in many organizations for as long as I can remember. Is there a specific security vulnerability or attack that this is designed to counter, or are…
Bill the Lizard
  • 6,771
  • 4
  • 21
  • 28
611
votes
7 answers

How to store salt?

If you expect to store user password securely, you need to do at least the following: $pwd=hash(hash($password) + salt) Then, you store $pwd in your system instead of the real password. I have seen some cases where $pwd contains the salt itself. I…
George
  • 6,297
  • 3
  • 14
  • 10
578
votes
3 answers

What's the difference between SSL, TLS, and HTTPS?

I get confused with the terms in this area. What is SSL, TLS, and HTTPS? What are the differences between them?
jrdioko
  • 13,071
  • 7
  • 30
  • 38
566
votes
20 answers

How can I explain SQL injection without technical jargon?

I need to explain SQL injection to someone without technical training or experience. Can you suggest any approaches that have worked well?
torayeff
  • 4,565
  • 4
  • 16
  • 15
557
votes
3 answers

Why can I log in to my Facebook account with a misspelled email/password?

I've been playing around with different login forms online lately to see how they work. One of them was the Facebook login form. When I logged out of my account my email and password were autocompleted by my browser. Then I decided to misspell my…
aMJay
  • 3,645
  • 5
  • 11
  • 20
547
votes
11 answers

Is my developer's home-brew password security right or wrong, and why?

A developer, let's call him 'Dave', insists on using home-brew scripts for password security. See Dave's proposal below. His team spent months adopting an industry standard protocol using Bcrypt. The software and methods in that protocol are not…
nallenscott
  • 4,739
  • 3
  • 13
  • 8
537
votes
18 answers

Police forcing me to install Jingwang spyware app, how to minimize impact?

Chinese police are forcing whole cities to install an Android spyware app Jingwang Weishi. They are stopping people in the street and detaining those who refuse to install it. Knowing that I may be forced to install it sooner or later, what are my…
Citizen
  • 2,731
  • 3
  • 7
  • 6
503
votes
8 answers

RSA vs. DSA for SSH authentication keys

When generating SSH authentication keys on a Unix/Linux system with ssh-keygen, you're given the choice of creating a RSA or DSA key pair (using -t type). What is the difference between RSA and DSA keys? What would lead someone to choose one over…
jrdioko
  • 13,071
  • 7
  • 30
  • 38
472
votes
13 answers

Are passwords stored in memory safe?

I just realized that, in any language, when you save a password in a variable, it is stored as plain text in the memory. I think the OS does its job and forbids processes from accessing each other's allocated memory. But I also think this is somehow…
Antoine Pinsard
  • 4,647
  • 4
  • 16
  • 27
450
votes
14 answers

Is it bad practice to use your real name online?

On some accounts I use my real name on-line (Google+/Facebook/Wikipedia/personal blog), others (Q&A/Gaming) I use an alias. My question is: Security and privacy wise, what can people do with my real name? What are the dangers of using your real name…
blade19899
  • 3,621
  • 3
  • 13
  • 18
1
2 3
99 100