IT Security Stack Exchange
IT Security Stack Exchange

Most Popular

more tags
1500 questions
78
votes
4 answers

Is it generally a bad idea to encrypt database fields?

I work on a tiny company, it's literally me (the programmer) and the owner. The owner has asked me to encrypt several fields in a database to protect the customers data. This is a web application that helps law firms manage their data, so basically…
Bhaskara
  • 831
  • 1
  • 7
  • 6
78
votes
4 answers

How long will it take to crack the passwords stolen in the Yahoo hack announced 14 Dec 2016?

Apparently Yahoo was hacked yet again with up to a billion user accounts being compromised. The article says Yahoo uses MD5 for password hashing. Are the hackers likely to be able to crack the passwords too? How long will it take to crack 1…
soadyp
  • 895
  • 2
  • 7
  • 11
78
votes
6 answers

Is face recognition a good security feature?

I found that this guy uploaded some face recognition code with a comment that he'd like to use it "as a security feature". This got me thinking; is face recognition a valid security feature, or is it "cool", but not very effective way to secure…
MatthewRock
  • 918
  • 1
  • 6
  • 9
78
votes
7 answers

How to patch "keyless entry" car keys?

The German automobile club ADAC did a test with several cars which open doors and start the engine with a "keyless entry" system. You don't have to push a button on your car key. If you get near your car, key and car will recognise each other. If…
honze
  • 1,106
  • 1
  • 9
  • 19
78
votes
7 answers

Are there actually any advantages to Android full-disk encryption?

So, since Android 3, devices can perform boot-time, on-the-fly encryption/decryption of the application storage area (NOT the SDcard/removable storage) - essentially full-disk encryption. This requires a password/passphrase/PIN to be set as the…
scuzzy-delta
  • 9,303
  • 3
  • 33
  • 54
77
votes
5 answers

What layer is TLS?

TLS stands for "transport layer security". And the list of IP protocol numbers includes "TLSP" as "Transport Layer Security Protocol". These two things would leave me to believe that TLS is a transport layer protocol. However, most people seem to…
Andrew Spott
  • 922
  • 1
  • 7
  • 8
77
votes
3 answers

How to publish scanned documents anonymously?

I was thinking of the following question for a long time and did not find a lot of material* in the web and nothing at all on Security.SE. I think its a very interesting question as it covers different anonymization measures (or counter measures to…
Robert
  • 693
  • 6
  • 9
77
votes
6 answers

Is there a short command to test if my server is secure against the shellshock bash bug?

I did apt-get update; apt-get upgrade -y on all systems I'm running. I'm not sure if my /etc/apt/sources.list is good enough on all of these systems. I would like to quickly check each system again, ideally with a one-line shell command. Does such a…
the
  • 1,841
  • 2
  • 17
  • 33
77
votes
1 answer

What is the difference between RBAC and DAC/ACL?

What are the benefits of each, and when should I choose one over the other? Are there situations where these should be merged? Do you have examples of common usages? And what about MAC, where does that fit in?
AviD
  • 72,708
  • 22
  • 137
  • 218
77
votes
4 answers

What is the purpose of (ab)using the redirect page of my website for dubious URLs?

My website has a redirect page with the format https://my.site/redirect?deeplink=https://foo.bar&... The redirect is implemented in Javascript, so when you request the site, you get a 200 and some HTML + JS, not a 30X. I recently started to notice…
Kirill Rakhman
  • 833
  • 1
  • 6
  • 9
77
votes
7 answers

Is it unsafe to show message that username/account does not exist at login?

According to the OWASP Auth Guidelines, "An application should respond with a generic error message regardless of whether the user ID or password was incorrect. It should also give no indication to the status of an existing account." However, I have…
styfle
  • 888
  • 1
  • 6
  • 9
77
votes
6 answers

Should I reject a CSR when the host emailed me the private key for SSL certificate request?

I just requested a CSR from my shared web hosting provider, to generate a certificate which I will send back to them to install. (The certificate itself is to be generated properly by an organisation I work for who can provide certificates for our…
scipilot
  • 873
  • 1
  • 6
  • 8
77
votes
9 answers

Is it theoretically possible to deploy backdoors on ports higher than 65535?

Assuming you were able to modify the OS/firmware/device for server/client to send and listen on ports higher than 65535, could it be possible to plant a backdoor and have it listen on, say, port 70000? I guess the real question is this: If you…
Jason
  • 3,086
  • 4
  • 20
  • 24
77
votes
10 answers

Why even use a one-time pad if the key distribution is fully secured?

I had a job interview yesterday where they asked what the only scenario where a one-time pad can be broken would be, my answer to which was "when the key distribution process is not secure enough". They praised my answer, but they asked me another…
Riley Willow
  • 1,129
  • 9
  • 10
77
votes
13 answers

Should I allow browsers to remember my passwords and synchronize them?

I wonder, how wise is it to allow Chrome and Firefox to a) remember the passwords b) synchronize them? My gut tells me that if it's not man in the middle who can intercept them, but Google and Mozilla themselves can see them on their servers or with…
Incerteza
  • 2,207
  • 3
  • 16
  • 22
1 2 3
99 100