Highest Voted Questions - IT Security Stack Exchange

55

votes

4 answers

Spectre/meltdown on a GPU

Are GPUs vulnerable to spectre/meltdown attacks, since they have most of what makes CPUs attackable? Is there any information in the VRAM, that would cause trouble if it was stolen?

meltdown spectre gpu

asked Jan 08 '18 at 10:42

Bálint

613
1
5
8

55

votes

3 answers

Secret salts; why do they slow down attacker more than they do me?

When studying Dan Boneh's slides for 'Session Management and User Authentication' (2011) he mentions 'secret salts' on the slide 'Further defences' (slide 48 out of 58). He suggest to store in the datbase: Alice|SA|H(pwA , SA , rA) In which Alice…

passwords hash password-management password-cracking salt

asked Dec 06 '16 at 17:06

harm

603
1
5
7

55

votes

13 answers

Is it dangerous to use default router admin passwords if only trusted users are allowed on the network?

There are a lot of articles addressing the dangers of default router admin passwords. Certain security applications will also detect default router admin passwords as a vulnerability. However, these articles all focus on what could possibly happen…

network wifi router default-password

asked Oct 28 '16 at 02:54

Zsw

757
1
5
10

55

votes

5 answers

Should I use CSRF protection for GET requests?

I've seen several blanket statements on the web to the effect that you don't need CSRF protection for GET requests. But many web applications have GET requests that return sensitive data, right? Then wouldn't you want to protect those against CSRF…

web-application csrf

asked Feb 25 '16 at 23:56

jtpereyda

1,500
2
16
26

55

votes

9 answers

Why would security cover things like natural disasters?

I'm taking a course which is designed with the CISSP certification in mind. Though the class is categorized as software engineering, we talked a lot about physical security and, in particular, floods, fires, earthquakes and cars running into things.…

physical cissp

asked Jan 10 '16 at 01:02

Celeritas

10,089
22
79
144

54

votes

4 answers

Does read-only access to the database prevent sql injection?

I have a web api that connects to my SQL Server using a read-only connection and want to allow tech savvy users of my api to enter an SQL where clause on the querystring. I basically just want to tack what they enter onto the select statement. Does…

sql-injection sql-server

asked Apr 26 '15 at 15:04

Aaron

643
1
5
5

54

votes

1 answer

Why use an authentication token instead of the username/password per request?

The author of https://stackoverflow.com/a/477578/14731 recommends: DO NOT STORE THE PERSISTENT LOGIN COOKIE (TOKEN) IN YOUR DATABASE, ONLY A HASH OF IT! [...] use strong salted hashing (bcrypt / phpass) when storing persistent login tokens. I was…

passwords authentication web-application cookies

asked Jul 18 '14 at 18:08

Gili

2,149
3
24
41

54

votes

5 answers

Should I disable HTTP HEAD requests?

I have seen increased 'HEAD' requests in my webserver access.log. What are these requests for? Should I disable this method in my webserver configs?

webserver http

asked Jul 09 '14 at 18:53

hnn

1,007
2
10
12

54

votes

7 answers

Security risk of PING?

I have been told that PING presents a security risk, and it's a good idea to disable/block it on production web servers. Some research tells me that there are indeed security risks. Is it common practice to disable/block PING on publicly visible…

network attacks icmp

asked Jun 08 '11 at 17:31

Mr. Jefferson

715
1
5
7

54

votes

8 answers

You're an IT consultant. Should you discourage a client from telling you their password?

I'm an IT consultant. One client has known me for a few years. He wants me to do some work on his kids' laptop again. I'll need to log into his kids' Windows user account. (I'm guessing that multiple kids share one account.) This time, he wants to…

passwords password-management access-control physical-access

asked Jun 07 '13 at 06:29

unforgettableidSupportsMonica

662
6
17

54

votes

1 answer

Why does HTTP Basic authentication encode the username and password with base64?

RFC 2617 requires that in HTTP Basic authentication, the username and password must be encoded with base64. To receive authorization, the client sends the userid and password, separated by a single colon (":") character, within a base64 …

authentication http

asked Jan 30 '13 at 03:31

josh3736

2,205
2
18
22

54

votes

1 answer

Is Django's built-in security enough?

I have learned that Django provides built-in protection against the three main types of web app attacks (SQL injection, XSS and CSRF), which is really awesome. Yet I have spoken to a few Django developers and they have essentially told me not to…

xss csrf django

asked Jan 10 '13 at 03:46

pleasedesktop

643
1
6
6

54

votes

11 answers

Why did they stop adding physical "write protect" mechanism?

Floppy disks used to have a physical means of preventing writing to them. No software could bypass that, no matter what. It had to be flicked physically and manually by a human being. Modern SD cards and SD card converters have a physical such…

physical storage protection

asked Oct 18 '22 at 07:06

Polnow

549
2
4

54

votes

6 answers

If malware does not run in a VM why not make everything a VM?

There is a lot of malware that can detect whether it is running inside a VM or sandboxed environment and if such environment is detected it can conceal it self and not execute. So why not make everything a VM? Now all systems are safe! I know not…

malware virtualization detection sandbox

asked Feb 15 '21 at 21:16

Marcus

1,155
1
8
12

54

votes

8 answers

How can we eliminate passwords given the problems with biometric authentication?

I've read articles suggesting that passwords will eventually go the way of the dinosaur only to be replaced by biometrics, PINs, and other methods of authentication. This piece claims that Microsoft, Google, and Apple are decreasing password…

authentication passwords biometrics

asked Jul 05 '20 at 13:05

pancake-house

781
1
5
13

Most Popular