IT Security Stack Exchange
IT Security Stack Exchange

Most Popular

more tags
1500 questions
234
votes
10 answers

Is there any reason to disable paste password on login?

Today I logged in to pay my cellphone bill, and I found that the site has disabled paste functionality in password field. I'm a webdev and I know how to fix this, but for regular user is REALLY annoying having to type a random password like…
IAmJulianAcosta
  • 2,465
  • 3
  • 15
  • 18
228
votes
4 answers

Recommended # of iterations when using PBKDF2-SHA256?

I'm curious if anyone has any advice or points of reference when it comes to determining how many iterations is 'good enough' when using PBKDF2 (specifically with SHA-256). Certainly, 'good enough' is subjective and hard to define, varies by…
Tails
  • 2,468
  • 3
  • 14
  • 10
228
votes
15 answers

Tracing the location of a mobile IP from an email

I'm a TV scriptwriter - and not hugely tech-savvy, so please bear with me... If the police have an email, sent by a suspect over a 3G or 4G network, could they use the IP address (since they know when it was sent) to find out - from the service…
kjh03
  • 1,681
  • 2
  • 9
  • 5
226
votes
1 answer

How exactly does the OpenSSL TLS heartbeat (Heartbleed) exploit work?

I've been hearing more about the OpenSSL Heartbleed attack, which exploits some flaw in the heartbeat step of TLS. If you haven't heard of it, it allows people to: Steal OpenSSL private keys Steal OpenSSL secondary keys Retrieve up to 64kb of…
user43639
224
votes
9 answers

How should I distribute my public key?

I've just started to use GPG and created a public key. It is kind of pointless if no-one knows about it. How should I distribute it? Should I post it on my profile on Facebook and LinkedIn? How about my blog? What are the risks?
Roger C S Wernersson
  • 3,100
  • 4
  • 19
  • 12
223
votes
13 answers

Is there any reason to not show users incorrectly entered passwords after a successful login?

Our client has come up with the requirement that in case the username in question has had multiple failed login attempts, the incorrectly entered password(s) must be shown once a successful login is performed. Correctly entered information,…
RaunakS
  • 2,043
  • 2
  • 9
  • 10
221
votes
9 answers

Best Practice: ”separate ssh-key per host and user“ vs. ”one ssh-key for all hosts“

Is it better to create a separate SSH key for each host and user or just using the id_rsa key for all hosts to authenticate? Could one id_rsa be malpractice for the privacy/anonymity policies? having one ssh-key for all…
static
  • 2,309
  • 2
  • 12
  • 7
213
votes
5 answers

What is a specific example of how the Shellshock Bash bug could be exploited?

I read some articles (article1, article2, article3, article4) about the Shellshock Bash bug (CVE-2014-6271 reported Sep 24, 2014) and have a general idea of what the vulnerability is and how it could be exploited. To better understand the…
Rob Bednark
  • 1,435
  • 3
  • 10
  • 9
212
votes
10 answers

What should you do if you catch encryption ransomware mid-operation?

You boot up your computer one day and while using it you notice that your drive is unusually busy. You check the System Monitor and notice that an unknown process is using the CPU and both reading and writing a lot to the drive. You immediately do a…
Fiksdal
  • 3,097
  • 3
  • 18
  • 29
211
votes
4 answers

Is a rand from /dev/urandom secure for a login key?

Lets say I want to create a cookie for a user. Would simply generating a 1024 bit string by using /dev/urandom, and checking if it already exists (looping until I get a unique one) suffice? Should I be generating the key based on something else? Is…
Incognito
  • 5,214
  • 5
  • 28
  • 31
208
votes
7 answers

Does https prevent man in the middle attacks by proxy server?

There is a desktop client A connecting to website W in a https connection A --> W Somehow between A and W, there is a proxy G. A --> G --> W In this case, will G be able to get the certificate which A previously got from W? If G can get the…
jojo
  • 2,191
  • 3
  • 13
  • 4
205
votes
6 answers

How secure is 'blacking out' sensitive information using MS Paint?

I'm wondering if it's safe to black out sensitive information from a picture just by using Microsoft Paint? Let's take in this scenario that EXIF data are stripped and there is no thumbnail picture, so that no data can be leaked in such a way. But…
Mirsad
  • 10,075
  • 8
  • 33
  • 54
203
votes
7 answers

How do mobile carriers know video resolution over HTTPS connections?

Verizon is modifying their "unlimited" data plans. Customers in the USA can stream video at 480p -or- pay to unlock higher resolutions (both 720p and +1080p). They are not the only mobile carrier to implement rules like this. If I am on a site that…
raithyn
  • 1,833
  • 2
  • 8
  • 10
202
votes
10 answers

How safe are password managers like LastPass?

I use LastPass to store and use my passwords, so I do not have duplicate passwords even if I have to register four to five different accounts a day, and the passwords are long. How safe are password manager services like LastPass? Don't they create…
blended
  • 2,841
  • 3
  • 16
  • 16
201
votes
4 answers

Is Plaid, a service which collects user’s banking login information, safe to use?

I recently signed up for Privacy.com, which uses a service called Plaid to link a bank account. To do this, it requires the user to provide their banking username and password to a webpage from Plaid, not their bank. Then, Plaid accesses the…
gfrung4
  • 2,589
  • 3
  • 8
  • 8
1 2 3
99 100