Highest Voted Questions - IT Security Stack Exchange

63

votes

8 answers

My bank support just asked me for my online banking credentials

As title says, I was asked for my online banking password while on the process of getting in touch with a real person. This is something I'd never do and knowing that the call was being recorded (for further improvement of the bot I was talking to)…

passwords privacy banks

asked Aug 09 '17 at 09:10

sysfiend

2,374
4
14
22

63

votes

4 answers

Why do mobile devices force user to type password after reboot?

Nowadays, many mobile phones have supported unlocking through fingerprint recognition. However, both iOS and Android require users to enter the password after the device is rebooted, even though an authorized fingerprint is given. My question is:…

mobile android ios fingerprint

asked Aug 20 '16 at 10:19

nalzok

761
1
6
11

63

votes

1 answer

Why would I sign my git commits with a GPG key when I already use an SSH key to authenticate myself when I push?

Simply put, I am wondering why would one need to sign one's commits with a GPG key when contributing to GitHub when one's already required to provide an SSH public key?

ssh pgp digital-signature git

asked Apr 16 '16 at 22:36

Mahmoud Tantawy

733
1
5
6

62

votes

12 answers

Is it good practice to send passwords in separate emails, and why?

I have heard from different people and in different places that if I send an encrypted file to someone else, I should send them the password in a separate email; but why? If someone is sniffing, they will capture both and if the inbox is…

passwords

asked Jul 16 '15 at 13:00

Arlix

1,469
3
13
22

62

votes

4 answers

Why was the private key of the Superfish certificate so easily extractable?

Robert Graham detailed on the Errata Security blog how he was able to get the private key of the Superfish certificate. I understand that attackers can now use this key to generate certificates of their own which will be signed by the Superfish…

tls certificates

asked Feb 20 '15 at 04:40

bobby

887
7
14

62

votes

8 answers

Why do browsers default to http: and not https: for typed in URLs?

When I type example.com without any scheme into the browser bar and press Enter it is interpreted as HTTP://example.com, not HTTPS://example.com. Why? And where are the plans to fix this? (To be clear, I'm talking only about typed/pasted addresses…

tls web-browser

asked Feb 16 '15 at 19:40

Beni Cherniavsky-Paskin

741
1
5
8

62

votes

7 answers

Asymmetric vs Symmetric Encryption

I am currently taking a Principles of Information Security class. While talking about different encryption methods, a large number of my classmates seem to believe that Asymmetric Encryption is better (more secure) than Symmetric Encryption. A…

encryption cryptography asymmetric

asked Sep 16 '11 at 18:24

matthew

1,080
1
7
10

62

votes

12 answers

Is there ever a good reason _not_ to use TLS/SSL?

While writing an answer to this question on Server Fault, a thought that has been bouncing around my head for quite some time resurfaced again as a question: Is there ever a good reason to not use TLS/SSL? To further elucidate the question, I'm…

tls

asked Aug 07 '14 at 01:55

Naftuli Kay

6,745
9
47
76

62

votes

6 answers

At what point does "hacking" become illegal? (US)

Hypothetical situation: before I hire a web development company I want to test their ability to design secure web apps by viewing their previous client's websites. Issue: this situation raises a big red flag: with regards to viewing a website, what…

penetration-test legal

asked Aug 17 '11 at 17:27

Moses

2,157
2
20
23

62

votes

15 answers

Emergency method to erase all data off a machine within seconds

Imagine you are carrying highly sensitive information with you, maybe on a mission in a war zone. You get in an ambush and quickly need to erase all the files before they fall in the wrong hands. This has to happen within seconds. What devices are…

hardware physical memory

asked Jul 22 '20 at 10:08

user238815

62

votes

3 answers

Security risks of fetching user-supplied URLs

We are considering to add the following feature to our web application (an online product database, if it matters): Instead of uploading an image, the user can provide the (self-hosted) URL of an image. We store the URL instead of the image. So…

web-application appsec vulnerability url

asked Apr 25 '20 at 09:48

Heinzi

2,954
2
21
25

62

votes

4 answers

What is a threat model, and how do I make one?

I asked a question on what I need to do to make my application secure, when somebody told me: That depends on your threat model. What is a threat model? How do I make a threat model for my application?

threat-modeling

asked Jan 29 '20 at 12:18

user163495

62

votes

4 answers

Is Bcrypt a hashing algorithm or is my study material wrong?

I'm currently studying for my Comptia Security+ exam and on a practice test online I got this question: Or, represented as text: ▶ Which of the following are hashing algorithms? (Select all that apply) ---------------------------------- ✔️ ☑️ …

hash bcrypt

asked Oct 15 '19 at 22:32

treefidy

503
1
4
6

62

votes

6 answers

Is there a reason why I should not use the HaveIBeenPwned API to warn users about exposed passwords?

There's lots of talk about the HaveIBeenPwned password checker which can securely tell users if their password appears in one of their known data dumps of passwords. This tool has a publically available API behind it which websites/apps/etc are free…

passwords have-i-been-pwned

asked Jul 25 '19 at 19:17

Toby Smith

531
1
4
7

62

votes

3 answers

Website returning plaintext password

I have recently logged into a website. When I clicked on the "Update Profile" page, you are displayed with a list of text boxes for all the user fields, e.g. name, email, phone number etc. There is also a box for password and confirm password (for…

passwords web-application account-security

asked May 23 '19 at 11:34

stzvggmd

622
5
8

Most Popular