IT Security Stack Exchange
IT Security Stack Exchange

Most Popular

more tags
1500 questions
51
votes
5 answers

Why do many websites hide input when entering an OTP?

I've noticed that on many sites, when they ask for a one-time password (OTP) (usually sent by SMS), the input is hidden in the same way as a password field is. My understanding is that once an OTP is used, then it is no longer useful for…
Robin Salih
  • 572
  • 4
  • 8
51
votes
5 answers

Should the average user with no special access rights be worried about SMS-based 2FA being theoretically interceptable?

Security experts are constantly discouraging users from using SMS-based 2FA systems, usually because of worries the auth code could be intercepted by an attacker, either through a SIM swap or a MitM attack. The problem I see with this statement is…
Nzall
  • 7,373
  • 6
  • 30
  • 45
51
votes
4 answers

Is Diceware more secure than a long passphrase?

I recently investigated best-practices in regards to passwords, and the overwhelming majority of sources recommended using a password manager. This is great advice, but not usable in every situation. Certain situations, such as OS login, Disk…
user163495
51
votes
5 answers

What exploit are these user agents trying to use?

I just looked at my user agent tracking page on my site (archived on Yandex) and I noticed these user agents. I believe they are an attempt to exploit my server (Nginx with PHP). The 1 in front of it is just how many times the user agent was seen in…
Alexis Evelyn
  • 583
  • 1
  • 4
  • 9
51
votes
13 answers

Is there a good way to store credentials outside of a password manager?

A lot of the users in my company are using their agendas to write down their password and usernames, or Excel sheets with a protected password. I'm hesitant to install software for password management after reading recommendations/feedback on them.…
Hajar Qh
  • 599
  • 1
  • 4
  • 5
51
votes
4 answers

OAuth2 Cross Site Request Forgery, and state parameter

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-30#section-10.12 says: The client MUST implement CSRF protection [...] typically accomplished by requiring any request sent to the redirection URI endpoint to include a value that binds the…
Markus von Broady
  • 706
  • 1
  • 6
  • 14
51
votes
2 answers

Why is it possible to sniff an HTTPS / SSL request?

I'm new to the realm of HTTP requests and security and all that good stuff, but from what I've read, if you want your requests and responses encrypted, use HTTPS and SSL, and you'll be good. Someone in a previous question posted a link to this app…
bitmoe
  • 611
  • 1
  • 6
  • 3
51
votes
10 answers

Confused about using a password that "would take centuries to break"

I am talking about this password - 23##24$$25%%26 and the similar ones consisting of special characters appearing in a pattern, which the users these days use a lot. At work (finance company), I was creating a list of bad passwords that users should…
Batman
  • 845
  • 1
  • 8
  • 14
51
votes
7 answers

VPN + HTTPS = 100% anonymous?

Let's say I visit Twitter using HTTPS and a VPN First, I know that HTTPS is end-to-end encrypted, so no one except Twitter can know what data is sent, not even the VPN provider. Second, I know that when I am using a VPN no one can know who is the…
uihiuh
  • 611
  • 1
  • 5
  • 6
51
votes
3 answers

Security Review - password_hash implementation for PHP

I'm currently working on a "helper function" for PHP's core to make password hashing more secure and easier for the majority of developers. Basically, the goal is to make it so easy, that it's harder to invent your own implementation than to use the…
ircmaxell
  • 1,416
  • 12
  • 16
51
votes
8 answers

Is there a field length that is too short to allow harmful SQL injection?

I was reading about SQL injection and saw this, which got me thinking: input fields as small as possible to reduce the likelihood of a hacker being able to squeeze SQL code into the field without it being truncated (which usually leads to a T-SQL…
James Jenkins
  • 723
  • 1
  • 5
  • 10
51
votes
9 answers

Is it bad practice to use GET method as login username/password for administrators?

I work on web applications and as you know, having an administrator panel is a must in most cases. We can see that a lot of web applications have a specific login page for administrators in which there is a form (usually POST method) that admins can…
Amirreza Nasiri
  • 867
  • 2
  • 9
  • 15
51
votes
9 answers

If I include a Forgot Password service, then what's the point of using a password?

I've implemented a Forgot Password service in the following way: User goes to login page, clicks on "Forgot password?" User is presented with a form that asks for their email address. Email is sent to given address if in the database, with a link…
ian
  • 1,302
  • 11
  • 21
51
votes
4 answers

Why submit a website to plaintext offenders?

I've read this question and to quote from the accepted answer Besides that, by submitting the site to plaintext offenders, you will provide a third-party point of view, which might help your case. But, isn't submitting a website to plaintext…
MrCodeWeaver
  • 543
  • 4
  • 11
51
votes
5 answers

Is it possible to detect security breaches as a user before they're announced?

I'm always concerned about the security of services I use. I'm even more concerned since security breaches have been happening more and more lately, and they always generate a lot of noise in the media. Now I'm already trying to secure my accounts…
SEJPM
  • 9,540
  • 6
  • 37
  • 67
1 2 3
99 100