IT Security Stack Exchange
IT Security Stack Exchange

Most Popular

more tags
1500 questions
56
votes
6 answers

Should sensitive data ever be passed in the query string?

Should sensitive data ever be passed via the query string as opposed to the POST request? I realize that the query string will be encrypted, but are there other reasons to avoid passing data in the query string, such as shoulder surfing?
C. Ross
  • 1,418
  • 3
  • 13
  • 16
56
votes
3 answers

Does open source "protestware" represent a security risk?

Since the beginning of the Ukraine-Russian war, a new kind of software was created, which is called "protestware". In the best case, the devs only add some (personal) statements about the war or uncensored information to the repositories or when…
Manfred Kaiser
  • 1,306
  • 2
  • 5
  • 20
56
votes
10 answers

Is it really safe to use Signal or Telegram on untrusted phone hardware?

How safe are we when we use phone hardware from untrusted manufacturers and use end-to-end encrypted communication like Signal and Telegram? Are our conversations really safe from keyloggers or spyware? And what is the best option to communicate…
mech
  • 587
  • 1
  • 4
  • 5
56
votes
9 answers

Are randomly-generated passwords starting with "a" less secure?

I generated a password recently for a new account and the first three characters were "aa1". After exhausting all other attacks, a cracker would start brute forcing. On the assumption they'd start from "a", my password of "aa1" would be cracked…
lynn
  • 715
  • 1
  • 5
  • 8
56
votes
5 answers

Is open-sourcing the code of a webapp not recommended?

How to find out what programming language a website is built in? How much of a Django application could be reverse-engineered if the owner forgot to turn debug mode off? And other Qs like these ^ . Shortly: It would seem that at least in terms of…
gaazkam
  • 5,657
  • 11
  • 24
  • 38
56
votes
5 answers

How to recover a lost zip file password?

I have some files I was given by my teacher at University, I could chase him up, but I may as well try getting blood from a stone, his response rate isn't great and I completed my degree a year ago! They're pdf files stored inside password protected…
bluekeys
  • 681
  • 1
  • 5
  • 9
56
votes
2 answers

What is PKCE actually protecting?

I'm trying to get my head around how PKCE works in a mobile app and there's something I don't quite understand. So from what I can gather the client app creates a random cryptographically secure string known as the code-verifier. This is then…
TommyBs
  • 697
  • 1
  • 5
  • 7
56
votes
11 answers

Why is it bad to connect internal systems to the Internet?

We have an intranet system we use to book, track and process invoices for our core business. My boss would like to move this system to the Internet to make it "accessible everywhere". However, I feel this is not wise. Are there some reasons that…
Toby Leorne
  • 611
  • 5
  • 5
56
votes
7 answers

Can you hide a server's existence on the internet?

Would it possible to appear as though a server doesn't exist? Is it possible to have all requests believe host-name could not be resolved unless a specific phrase was provided in the request? Is there some evidence of a servers existence that could…
Goose
  • 1,384
  • 1
  • 11
  • 17
56
votes
11 answers

Why are static password requirements used so frequently?

Wouldn't it be smarter to measure password entropy and reject low entropy passwords? This would allow short passwords using the whole character set to pass, aswell as long passwords only using parts of the character set. Is the above scheme possible…
HopefullyHelpful
  • 1,254
  • 1
  • 12
  • 17
56
votes
5 answers

environment variable accessibility in Linux

Perhaps this is a trivial question, but how accessible are environment variables in Linux between different users? e.g. if Alice executes export FAVORITE_FOOD=`cat /home/alice/fav_food.txt` Can Eve tell what's Alice's favourite food? (Assuming both…
Yoav Aner
  • 5,329
  • 3
  • 25
  • 37
56
votes
9 answers

How can empty USB sticks contain malware?

I read a BBC article about empty USB sticks containing malware: Berlin-based researchers Karsten Nohl and Jakob Lell said a device that appeared to be completely empty could still contain a virus. How can "empty" USB sticks contain malware? Is…
Gruber
  • 1,084
  • 1
  • 8
  • 19
56
votes
13 answers

Is it possible to turn a computer into a bomb?

I know this newspaper article sounds absurd. Even if a machine is compromised we (should) have hardware safe guards in all our devices to prevent the software from damaging the hardware. But is it possible to make a computer explode or catch fire?…
rook
  • 47,004
  • 10
  • 94
  • 182
56
votes
6 answers

Has a benefit been demonstrated for credit card machines asking for ZIP code?

In the U.S., many credit card machines at places like gas stations have started asking for your ZIP (postal) code to use a credit card ostensibly to help verify that you really are the cardholder, rather than the card being stolen. My question is…
reirab
  • 2,693
  • 1
  • 13
  • 21
56
votes
5 answers

Is using bcrypt on existing SHA1 hashes good enough when switching password implementation?

I'm working on improving a CMS where the current implementation of storing password is just sha1(password). I explained to my boss that doing it that way is incredibly insecure, and told him that we should switch to bcrypt, and he agreed. My plan…
Alex
  • 709
  • 5
  • 7
1 2 3
99 100