Highest Voted Questions - IT Security Stack Exchange

74

votes

8 answers

Is forcing users to use a strong password effective?

I am designing a service that would, among other things, store sensitive information. To ensure no unauthorized access of this information, it would be encrypted with a key derived from their password (PBKDF2). The password will be stored in a…

passwords user-education

asked Jan 01 '15 at 22:30

Stephan Heijl

813
7
11

74

votes

5 answers

Advantages and disadvantages of Stream versus Block Ciphers

Encryption algorithms such as Blowfish,AES,RC4,DES and Seal are implemented in one of two categories of ciphers. What are the advantages/disadvantages to the type of ciphers?

cryptography encryption

asked Nov 14 '10 at 14:32

Eric Warriner

3,291
3
26
20

74

votes

2 answers

Minimum requirements for storing last 4 digits of credit card number?

We have a merchant website that uses Autorize.net's CIM and AIM. Our users may have multiple credit cards so we'd want to give them opportunity to distinguish between credit cards that they use on site. Currently we think about storing cardholder…

web-application legal compliance pci-dss credit-card

asked Sep 07 '12 at 09:27

Andrei Botalov

5,317
10
46
73

74

votes

4 answers

Did I participate in the recent DDoS attacks on Dyn's DNS service?

It was reported that the recent large scale DDoS attack affecting multiple websites in the US was done by hacking 10s of millions of devices and using them for the attack. How can one in general know if ones devices were hacked and used in the/an…

attacks ddos

asked Oct 26 '16 at 18:42

Thomas

3,861
4
22
26

73

votes

8 answers

Are powerline ethernet adapters inherently secure?

I have 2 Zyxel PLA407 powerline adapters. Router is downstairs connected to one adapter, other adapter is upstairs about 30 feet away connected to a desktop. I have a house, not an apartment or townhouse. I've noticed the speed is much faster when i…

encryption network data-leakage physical

asked Dec 13 '11 at 18:52

v15

1,751
4
16
18

73

votes

7 answers

Preventing Ethernet over power

I'm an electrician doing a job at a secure site. The client is concerned that someone could plug an Ethernet over power (EOP) connection into the switch and then connect elsewhere in the building. Is this possible and if so, how can I prevent…

ethernet

asked Aug 11 '15 at 09:48

phil

631
5
4

73

votes

2 answers

Diffie Hellman parameters still calculating after 24 hours

I have a fresh install of Arch Linux on a RaspberryPi model B. I'm setting up OpenVPN and using easy-rsa with OpenSSL 1.0.2d to generate initial keys and certificates. All went fine until I ran ./build-dh(script here). It was 24 hours later when I…

linux diffie-hellman openvpn raspberry-pi arm

asked Jul 28 '15 at 15:39

kgizdov

853
1
7
6

73

votes

4 answers

What clients are proven to be vulnerable to Heartbleed?

On several pages, it is re-iterated that attackers can obtain up to 64K memory from the server or client that use an OpenSSL implementation vulnerable to Heartbleed (CVE-2014-0160). There are dozens of tools that reveal the bug in server…

tls heartbleed

asked Apr 09 '14 at 14:08

Lekensteyn

5,958
5
38
62

73

votes

2 answers

JSON Web Tokens (JWT) as user identification and authentication tokens

I'm implementing a REST service that requires authentication. I cannot store any per-user state (such as a randomly-generated token) because my service does not have direct access to a database, only to another backend service. The solution I came…

authentication rest

asked Feb 11 '14 at 10:33

imgx64

1,370
2
13
10

73

votes

3 answers

symmetric encryption session keys in SSL/TLS

This question concerns the session send and receive keys used in SSL/TLS protocol. my understanding is that this key uses symmetric encryption (DES, AES, BlowFish, etc.) I'm wondering, if public-private key pairs are superior to symmetric keys…

cryptography encryption tls vpn

asked May 07 '11 at 23:59

lurscher

1,200
1
11
15

73

votes

6 answers

Converting keys between openssl and openssh

If I use the following openssl req -x509 -days 365 -newkey rsa:2048 -keyout private.pem -out public.pem -nodes I get private.pem and public.pem If I use ssh-keygen -t rsa -f rsa I get rsa and rsa.pub Is it possible to convert from the format of…

ssh openssl

asked Mar 18 '13 at 12:07

anshul

833
1
7
6

73

votes

3 answers

How to exploit HTTP Methods

Many security scanners like nikto, nessus, nmap, and w3af sometimes show that certain HTTP Methods like HEAD, GET, POST, PUT, DELETE, TRACE, OPTIONS, CONNECT, etc are vulnerable to attack. What do these methods do and how can they be exploited? I'm…

web-application appsec attacks http

asked Oct 10 '12 at 20:23

Digital fire

3,156
5
31
44

73

votes

11 answers

How to securely dispose of a smartphone?

How to dispose of a smartphone (it's an iPhone 5) at home? I was reading through this SE site questions and found this one which hardly applies here. Besides, I'd want to do it so that: It's not damaging the ecology (at least not too much) I don't…

iphone smartphone disposal

asked Jun 25 '19 at 07:27

Alma Do

803
1
5
9

73

votes

8 answers

Is displaying remaining password retry count a security risk?

Some websites display a remaining password retry count when I input wrong passwords more than twice. For example, displaying that there are 3 retries remaining until locking out my account. Is this dangerous from security perspective ?

authentication password-policy account-security

asked Jan 16 '19 at 08:11

Ahmet Arslan

849
1
6
9

73

votes

4 answers

Is SHA1 better than MD5 only because it generates a hash of 160 bits?

It is well known that SHA1 is recommended more than MD5 for hashing since MD5 is practically broken as lot of collisions have been found. With the birthday attack, it is possible to get a collision in MD5 with 264 complexity and with 280 complexity…

cryptography hash md5 sha

asked Sep 03 '12 at 22:07

sudhacker

4,300
5
23
35

Most Popular