Highest Voted Questions - IT Security Stack Exchange

68

votes

2 answers

What's the difference between HMAC-SHA256(key, data) and SHA256(key + data)

Is there anything different about how secure these two hashing algorithms are? Does HMAC "fuse" the data and the key in a special way that's more security-aware?

hmac

asked Jan 20 '15 at 03:19

phillips1012

781
1
6
3

68

votes

6 answers

Pattern to allow multiple persons to decrypt a document, without sharing the encryption key?

Current setup We have a service that allows users to upload documents through a website and stores the uploaded documents encrypted on disk. The documents on disk are encrypted with a per-user key, which is randomly generated upon account creation.…

encryption

asked Oct 29 '14 at 15:31

Monika

1,092
1
10
21

68

votes

6 answers

How do some sites (e.g. online banks) only ask for specific characters from a password without storing it as plaintext?

I thought How can a system enforce a minimum number of changed characters... would answer my question, but it seems this is a different case. When I sign on to my online banking account, I'm prompted for three random digits from a four digit PIN,…

cryptography authentication passwords

asked Jun 27 '11 at 10:47

alexmuller

1,061
1
9
13

68

votes

4 answers

How did the brute-forcers get my IP address so quickly?

This is probably a massive noob question, but Google results aren’t being helpful and I couldn’t find something specific here. I made this server that just hosts IRC, HTTP and SSH for some friends. I have done this sort of thing before, and to my…

ssh brute-force ip

asked Apr 20 '20 at 13:08

Architect

691
1
4
6

68

votes

21 answers

Lessons learned and misconceptions regarding encryption and cryptology

Cryptology is such a broad subject that even experienced coders will almost always make mistakes the first few times around. However encryption is such an important topic, often we can't afford to have these mistakes. The intent of this question…

cryptography encryption .net java

asked Feb 19 '11 at 19:25

makerofthings7

50,488
54
253
542

68

votes

1 answer

Unusual mail headers show evidence of MTA attack. Have I been pwned?

Today I found an extremely unusual email in my catchall inbox, without subject, sender or content. My Gmail client for android reported the mail was sent by me, triggering a nuclear alert in my mind. I had fear that someone had guessed my robust…

attacks postfix remote-code-execution

asked Jun 19 '19 at 06:41

usr-local-ΕΨΗΕΛΩΝ

5,361
2
18
35

68

votes

5 answers

What is a YubiKey and how does it work?

How do YubiKeys work? Are there any alternatives? Here is a picture of one:

authentication key-management multi-factor yubikey hardware-token

asked Jul 31 '12 at 15:11

Gabriel Fair

1,515
2
13
23

68

votes

2 answers

What are the risks of not patching a server or hypervisor for Meltdown?

The patch for Meltdown is rumoured to incur a 30% performance penalty, which would be nice to avoid if possible. So this becomes a Security vs Performance risk-assessment problem. I am looking for a rule-of-thumb for assessing the risk of not…

risk-management meltdown

asked Jan 04 '18 at 05:38

Mike Ounsworth

58,107
21
154
209

68

votes

9 answers

How secure is TeamViewer for simple remote support?

I'm deploying a web-based ERP system for a customer, such that both the server and the client machines will be inside the customer's intranet. I was advised in another question not to use TeamViewer to access the server, using more secure means…

network remote-desktop

asked Feb 25 '12 at 09:10

mgibsonbr

2,925
2
21
35

68

votes

8 answers

Am I experiencing a brute force attack?

When checking the auth log of a server with the command: grep sshd.\*Failed /var/log/auth.log | less I see thousands of lines like this: Jan 12 11:27:10 ubuntu-leno1 sshd[8423]: Failed password for invalid user admins from 172.25.1.1 port 44216…

ssh brute-force

asked Jan 15 '16 at 10:13

syldor

771
1
5
8

67

votes

12 answers

Do we really need a long and complicated password for websites?

Most of websites that handle important information (Gmail, for instance) have some kind of brute force protection. Sometimes if you try more than X times it will lock the account or at least give you a captcha to solve. Currently all the security…

passwords authentication password-policy

asked Nov 05 '14 at 12:16

drpexe

775
1
5
12

67

votes

6 answers

Four-factor authentication

I'm sure you've all heard of two-factor/multi-factor authentication. Basically it comes down to these factors: Knowledge - something you know (e.g. password, PIN, pattern) Possession - something you have (e.g. mobile phone, credit card,…

authentication multi-factor

asked Sep 23 '14 at 14:52

rink.attendant.6

2,247
4
23
35

67

votes

13 answers

Storing KeePass database in cloud. How safe?

It certainly would be more convenient to store my KeePass database on either S3, Dropbox, or better yet SpiderOak. My fear is having my cloud storage account compromised then having the credentials recovered by either brute force or some other…

passwords keepass cloud-storage

asked Nov 11 '13 at 13:54

dperry1973

773
1
5
5

67

votes

9 answers

Why isn't open WiFi encrypted?

As far as I understand, WiFi networks that require no password send traffic through the air unencrypted. Those that require a password encrypt each connection uniquely, even if they're all using the same password. If this is true, I don't understand…

encryption passwords authentication wifi

asked May 14 '13 at 01:54

Nathan Long

2,644
4
21
28

67

votes

5 answers

What can an attacker do with Bluetooth and how should it be mitigated?

What are the security risks of Bluetooth and what technologies and best practices should be used to protect my device? What can an attacker do once a malicious device is paired with mine? Specifically Is it a good idea to remove & re-pair my…

windows linux macos threat-mitigation bluetooth

asked Jan 02 '13 at 18:33

makerofthings7

50,488
54
253
542

Most Popular