Highest Voted Questions - IT Security Stack Exchange

52

votes

6 answers

Why does one need a strong password on Unix?

SSH Server: I only allow public-key authentication. Malicious Software: If it's running as my user it has access to my data and an internet connection, it's bad enough already. Yes, su access would make it worse, but the issue here is not password…

passwords malware account-security physical unix

asked Jan 29 '17 at 19:01

Alex

819
1
7
11

52

votes

3 answers

How do I test for SQL injection vulnerabilities on a site with input fields?

What methods are available for testing SQL injection vulnerabilities?

sql-injection

asked Apr 25 '12 at 03:03

John S

621
1
6
3

52

votes

9 answers

Is the UK Parliament e-petition system trustworthy?

Over the last few days, I've been hearing often about the petition to (pratically) "repeat" the Brexit referendum and I noticed that it is an online petition. I noticed that the "sign petition" form just requires name, email address, and postcode,…

authentication web-application geolocation

asked Jun 27 '16 at 07:48

Matteo Umili

901
1
8
11

52

votes

6 answers

Am I at risk if I let someone charge their Android phone from my MacBook through a micro USB cable?

Someone connected their Android phone to my MacBook and it made me think if this has put my MacBook at risk. It was for 3 seconds and I was in control of the MacBook the whole time.

android macos usb

asked Jun 09 '16 at 12:46

Emanuil Rusev

681
1
5
8

52

votes

8 answers

Can an open Wi-Fi hotspot be considered "secure" when using a VPN connection?

There are many open Wi-Fi hotspots scattered around from cafes to airports. I understand that a non-passworded Wi-Fi leaves traffic unencrypted and therefore available for hackers to read. I also know about a man-in-the-middle attack where the Wi-Fi…

encryption wifi vpn

asked Feb 16 '16 at 09:35

User1

3,031
5
23
30

52

votes

5 answers

Teaching "Secure by Design"

I'm a Security Architect, and I'm used to defining the security of project as a specification that gets carried out by others. I have been recently tasked with teaching new coders how to design and program using the principles of "Secure by Design"…

professional-education programming

asked Jan 05 '16 at 18:29

schroeder

125,553
55
289
326

52

votes

13 answers

Sequential identifying string that can't be reverse engineered (the "invoice number" problem)

Let's say I operate a website where you can create cat pictures. I give every cat picture a unique identifier so that it can be shared on social media with http://catpictures.com/base62Identifier. I could give the cat pictures sequential identifiers…

hash databases

asked Dec 13 '15 at 16:07

Escher

603
5
8

52

votes

3 answers

How can I check that my cookies are only sent over encrypted https and not http?

I read a blog post GitHub moves to SSL, but remains Firesheepable that claimed that cookies can be sent unencrypted over http even if the site is only using https. They write that a cookie should be marked with a "secure flag", but I don't know how…

tls cookies encryption

asked Nov 11 '10 at 23:59

Jonas

5,163
7
33
35

51

votes

6 answers

Are there security issues with embedding an HTTPS iframe on an HTTP page?

I've seen websites placing HTTPS iframes on HTTP pages. Are there any security concerns with this? Is it secure to transmit private information like credit card details in such a scheme (where the information is only placed on the HTTPS iframe form,…

appsec web-application tls

asked Nov 30 '10 at 17:13

Yahel

613
1
5
6

51

votes

1 answer

Short OpenPGP key IDs are insecure, how to configure GnuPG to use long key IDs instead?

Short OpenPGP key IDs (with 32 bits / 8 hex characters) are subject to collision attacks. It is strongly recommended to stop using 32 bit IDs: Stop using 32bit key ids It takes 4 seconds to generate a colliding 32bit key id on a GPU (using…

key-management pgp gnupg

asked Mar 21 '15 at 12:33

Jens Erat

23,816
12
75
96

51

votes

5 answers

SSH key auth, but still need password for sudo?

SSH with public-private key authentication comes enabled by default with most Linux distributions. This is great because when I create accounts for remote users I don't have to email them sensitive info(passwords). However, this process becomes…

passwords authentication ssh sudo

asked Nov 10 '14 at 22:21

Mxx

611
1
5
6

51

votes

3 answers

Is it better to have a camera hidden or visible?

Two years ago a professional gang broke into the Bureau de Change next door during the night. One of the cameras was a small IP camera which I had advised them to install as I thought an off-site recording would be a good thing. However, they were…

cctv

asked Aug 14 '14 at 19:08

Ulkoma

8,793
16
66
95

51

votes

2 answers

Is "real salt" the same as "initialization vectors"?

In the question about real vs. fake salt, the answers describe how real salt 'perturbs the encryption algorithm.' I know roughly how initialization vectors work; is this the same concept, or something different entirely?

cryptography encryption hash random

asked Aug 09 '11 at 18:39

Bryan Agee

1,206
1
11
17

51

votes

9 answers

Can users make use of a password manager when banks tell them never to write passwords down?

Consider a user who wants to use a password manager for their banking passwords. Advice from banks usually says they should never write down their password. The user would be concerned about going against that advice, as it could mean their bank…

passwords password-management banks

asked Jun 03 '14 at 20:15

paj28

32,906
8
93
130

51

votes

5 answers

Are there any reasonable TrueCrypt forks?

Unfortunately, TrueCrypt may have been discontinued yesterday. I use LUKS on Linux, but I liked the fact that with TrueCrypt I had a portable solution across Windows, Mac, & Linux. TrueCrypt has its own license, but it was Open Source. Are you…

disk-encryption truecrypt luks

asked May 29 '14 at 12:50

Michał Šrajer

4,154
4
18
21

Most Popular