Highest Voted Questions - IT Security Stack Exchange

50

votes

10 answers

Is an SSH key with a passphrase a 2FA?

This is a really theoretical question, but if I use an SSH key with a passphrase to login on a server, could this be considered as a two-factor authentication (2FA)? Indeed, I need the SSH (private) key, which could be considered as the first…

ssh multi-factor theory

asked Oct 29 '19 at 14:16

Antonin M.

611
1
5
11

50

votes

4 answers

Log user out after change of IP address?

Does it make sense to log a user out from a web service after the user's IP address is changed? I understand that a change of an IP address might indicate a man-in-the-middle attack. Then again IP addresses of end user devices (mobile phones) might…

web-application account-security

asked Oct 29 '19 at 08:00

Tobias Gassmann

611
5
5

50

votes

7 answers

Is this password scheme legit?

I received an invitation for an IT security fair (https://www.it-sa.de/en). They additionally delivered a password "Kryptonizer". That is a little card to hang on your keychain with the following (example values, my translation): It is often too…

passwords password-cracking

asked Aug 26 '19 at 08:36

izlin

619
1
5
7

50

votes

5 answers

Is using 'echo' to display attacker-controlled data on the terminal dangerous?

Imagine the following code: ATTACKERDATA="$(cat attackerControlledFile.txt)" echo "${ATTACKERDATA}" An attacker can, through whatever arbitrary process, modify the contents of attackerControlledFile.txt to anything they desire. The content can be…

vulnerability bash

asked Jun 06 '19 at 14:12

user163495

50

votes

5 answers

Downsides of showing email address on Android lock screen

My stock Android 9.0 gives me the option of showing some short text message on the lock screen. I want to add my email address here, so people know how to contact me if they find my phone. Are there any downsides to this? The address is linked to…

android device-locking

asked Feb 13 '19 at 05:22

freekvd

463
4
6

50

votes

7 answers

Doesn't the choice of encryption algorithm add entropy by itself?

Let's say someone has my encrypted data and he wants to decrypt it. People always talk about how the length of the key (e.g. 256 bits) decides about the entropy of the encryption, which totally makes sense. If the attacker tries all 2256…

encryption entropy obscurity

asked Jan 30 '19 at 11:22

Robert

617
1
5
3

50

votes

21 answers

Are there unphotographable, but scannable ID cards?

We have a client who hosts an event, with a tight budget, that uses lanyarded Photo-ID cards with barcodes on them. The barcodes are used to gain access to various areas at the event. We were thinking of proposing a hashed code (currently the IDs…

identity barcode

asked Nov 28 '18 at 07:20

Konchog

615
1
5
9

50

votes

10 answers

Is it OK that a sysadmin knows the password for a newcomer / act as a user (immediately after his/her recruiting)?

Somehow related to this other question. I am dealing with the following case: a medium-large company (with about 200 on-premises employees) is applying the following procedure for all the newly recruited employees (immediately before their first day…

password-management password-policy

asked Nov 21 '18 at 10:08

Diego Pascotto

601
1
5
5

50

votes

5 answers

Can someone without the WiFi login and no physical access to a router still access it with the admin login?

If you have a router with default login and password for the admin page, can a potential hacker gain access to it without first connecting to the LAN via the WiFi login?

wifi router

asked Sep 19 '18 at 06:58

Q-bertsuit

537
1
4
7

50

votes

4 answers

How to achieve non-repudiation?

If I have a message that I need to send to another person, how do I achieve non repudiation ? Is digitally signing the message sufficient ?

authentication cryptography public-key-infrastructure digital-signature non-repudiation

asked Jan 21 '11 at 02:57

user1157

1,797
5
19
19

50

votes

6 answers

How safe are wifi enabled talking toys?

There have been ads on the radio recently for a wifi enabled toy called Talkies, which are advertised as being able to communicate with app enabled phones, with a "trusted circle" that other phones can be added to. (Obligatory photo of a cute wifi…

wireless iot

asked Oct 31 '17 at 14:42

JohnP

611
1
6
11

50

votes

11 answers

SSL's (security) benefit to the website owner

I know the many benefits of SSL for the users of a website. It creates a contract whereby the user can be certain that the entity they're transacting with is who it claims to be and that the information passed is encrypted. I also have some idea…

tls

asked Sep 13 '17 at 15:33

Luke Sawczak

650
5
9

50

votes

6 answers

Is there any difference between HTTP and HTTPS when using my home / own internet connection

First of all I am a web developer and not a security expert. I have read lots of articles about the difference between HTTPS and HTTP, including this site. The basic idea I got from them is, when using HTTPS all things are encrypted on the client…

web-application web-browser http

asked Aug 24 '17 at 03:41

I am the Most Stupid Person

623
1
5
14

50

votes

5 answers

New XSS cheatsheet?

There is a great list of XSS vectors avaliable here: http://ha.ckers.org/xss.html, but It hasn't changed much lately (eg. latest FF version mentioned is 2.0). Is there any other list as good as this, but up to date?

penetration-test attacks xss appsec

asked Nov 12 '10 at 08:14

naugtur

1,115
2
12
15

50

votes

4 answers

How to approach replacing md5 for transporting Unity game data to a remote server

TL;DR I am working on a gaming system that uses UnityScript and C# on the client and PHP on the server. A MD5 hash of the data plus a shared secret is used to check that the data has not been modified in transit. Is MD5 good enough for this? What…

php .net md5 gaming

asked Jan 02 '17 at 21:30

Martin

1,057
1
11
19

Most Popular