IT Security Stack Exchange
IT Security Stack Exchange

Most Popular

more tags
1500 questions
111
votes
5 answers

What should I do about Gmail ad asking me for password?

I just got a pop-up after having logged on to Gmail. It said it was from https://googleads.g.doubleclick.net and asked for username and password. What should I do about this? Has anyone else seen this? I did press cancel, nothing happened. The only…
morten
  • 881
  • 2
  • 6
  • 5
110
votes
7 answers

What is the difference between Federated Login and Single Sign On?

What is the difference between Federated Login and Single Sign On authentication methods?
c card
  • 1,203
  • 2
  • 9
  • 4
109
votes
5 answers

Should we store accesstoken in our database for oauth2?

I have a requirement to implement Facebook and Google login in my web application. I also need to access a user's Facebook/Google+ friend list. I have gone through the complete OAuth2 documentation of Facebook and Google. I understood the basic…
Deepak Kumar Padhy
  • 1,198
  • 2
  • 8
  • 7
109
votes
8 answers

Why do I hear about so many Java insecurities? Are other languages more secure?

I really like the Java programming language, but I continuously hear about how insecure it is. Googling 'java insecure' or 'java vulnerabilities' brings up multiple articles talking about why you should uninstall or disable Java to protect your…
gsgx
  • 1,225
  • 2
  • 12
  • 13
109
votes
7 answers

Is saving passwords in Chrome as safe as using LastPass if you leave it signed in?

Justin Schuh defended Google's reasoning in the wake of this post detailing the "discovery" (sic) that passwords saved in the Chrome password manager can be viewed in plaintext. Let me just directly quote him: I'm the Chrome browser security tech…
brentonstrine
  • 1,259
  • 2
  • 10
  • 13
109
votes
10 answers

Should I change the private key when renewing a certificate?

My security department insists that I (the system administrator) make a new private key when I want a SSL certificate renewed for our web servers. They claim it's best practice, but my googling attempts have failed to verify their claim. What is the…
Commander Keen
  • 1,193
  • 2
  • 7
  • 6
109
votes
11 answers

"Username and/or Password Invalid" - Why do websites show this kind of message instead of informing the user which one was wrong?

Lets say a user is logging into a typical site, entering their username and password, and they mistype one of their inputs. I have noticed that most, if not all, sites show the same message (something along the lines of, "Invalid username or…
bobble14988
  • 1,355
  • 3
  • 9
  • 12
109
votes
8 answers

My school wants to keep the details of our door authentication system a secret. Is that a good idea?

So, I am designing a door authentication system (can't really go into more detail) for our school, so that only authenticated persons can go through a certain internal door. They hold that its inner working should be kept a secret, so that no one…
PyRulez
  • 2,937
  • 4
  • 16
  • 29
108
votes
5 answers

Can simply decompressing a JPEG image trigger an exploit?

The novel Daemon is frequently praised for being realistic in its portrayal rather than just mashing buzzwords. However, this struck me as unrealistic: Gragg's e-mail contained a poisoned JPEG of the brokerage logo. JPEGs were compressed image…
JDługosz
  • 1,139
  • 2
  • 7
  • 12
108
votes
6 answers

Why can't I MitM a Diffie-Hellman key exchange?

After reading the selected answer of "Diffie-Hellman Key Exchange" in plain English 5 times I can't, for the life of me, understand how it protects me from a MitM attack. Given the following excerpt (from tylerl's answer): I come up with two prime…
orokusaki
  • 1,342
  • 2
  • 10
  • 13
108
votes
4 answers

Now that it is 2015, what SSL/TLS cipher suites should be used in a high security HTTPS environment?

It has become quite difficult to configure an HTTPS service that maintains "the ideal transport layer". How should an HTTPS service be configured to permit some reasonable level of compatibility while not being susceptible to even minor attacks? TLS…
rook
  • 47,004
  • 10
  • 94
  • 182
108
votes
5 answers

What kinds of encryption are _not_ breakable via Quantum Computers?

There's the recent article NSA seeks to build quantum computer that could crack most types of encryption. Now I'm not surprised by the NSA trying anything1, but what slightly baffles me is the word "most" - so, what encryption algorithms are known…
Tobias Kienzler
  • 7,658
  • 11
  • 43
  • 68
108
votes
8 answers

Certificate based authentication vs Username and Password authentication

What are the advantages and drawbacks of the certificate based authentication over username and password authentication? I know some, but I would appreciate a structured and detailed answer. UPDATE I am interested as well in knowing what attacks are…
Stefany
  • 1,277
  • 2
  • 10
  • 9
108
votes
15 answers

At what point does something count as 'security through obscurity'?

So, I keep finding the conventional wisdom that 'security through obscurity is no security at all', but I'm having the (perhaps stupid) problem of being unable to tell exactly when something is 'good security' and when something is just 'obscure'. I…
root
  • 1,547
  • 3
  • 12
  • 20
108
votes
8 answers

Why refresh CSRF token per form request?

In many tutorials and guides I see that a CSRF token should be refreshed per request. My question is why do I have to do this? Isn't a single CSRF token per session much easier than generating one per request and keeping track of the ones…
Philipp Gayret
  • 1,393
  • 2
  • 10
  • 14
1 2 3
99 100