Highest Voted Questions - IT Security Stack Exchange

1268

votes

22 answers

XKCD #936: Short complex password, or long dictionary passphrase?

How accurate is this XKCD comic from August 10, 2011? I've always been an advocate of long rather than complex passwords, but most security people (at least the ones that I've talked to) are against me on that one. However, XKCD's analysis seems…

passwords entropy usability

asked Aug 10 '11 at 21:38

Billy ONeal

2,688
4
15
15

1258

votes

3 answers

How does SSL/TLS work?

How does SSL work? I just realised we don't actually have a definitive answer here, and it's something worth covering. I'd like to see details in terms of: A high level description of the protocol. How the key exchange works. How authenticity,…

tls certificates public-key-infrastructure

asked Sep 28 '12 at 07:51

Polynomial

132,208
43
298
379

926

votes

11 answers

How to securely hash passwords?

If I hash passwords before storing them in my database, is that sufficient to prevent them being recovered by anyone? I should point out that this relates only to retrieval directly from the database, and not any other type of attack, such as…

appsec cryptography passwords hash

asked Nov 12 '10 at 12:36

AviD

72,138
22
136
218

862

votes

14 answers

What technical reasons are there to have low maximum password lengths?

I have always wondered why so many websites have very firm restrictions on password length (exactly 8 characters, up to 8 characters, etc). These tend to be banks or other sites where I actually care about their security. I understand most people…

passwords password-policy

asked Mar 30 '13 at 21:30

enderland

7,931
3
12
14

658

votes

4 answers

Do any security experts recommend bcrypt for password storage?

On the surface bcrypt, an 11 year old security algorithm designed for hashing passwords by Niels Provos and David Mazieres, which is based on the initialization function used in the NIST approved blowfish algorithm seems almost too good to be true.…

passwords cryptography hash bcrypt

asked Sep 16 '10 at 00:05

Sam Saffron

6,665
3
14
11

618

votes

23 answers

How does changing your password every 90 days increase security?

Where I work I'm forced to change my password every 90 days. This security measure has been in place in many organizations for as long as I can remember. Is there a specific security vulnerability or attack that this is designed to counter, or are…

authentication passwords password-management

asked Jun 22 '11 at 13:36

Bill the Lizard

6,731
4
19
28

599

votes

7 answers

How to store salt?

If you expect to store user password securely, you need to do at least the following: $pwd=hash(hash($password) + salt) Then, you store $pwd in your system instead of the real password. I have seen some cases where $pwd contains the salt itself. I…

passwords hash salt

asked Jul 20 '12 at 06:28

George

6,177
3
14
10

575

votes

3 answers

What's the difference between SSL, TLS, and HTTPS?

I get confused with the terms in this area. What is SSL, TLS, and HTTPS? What are the differences between them?

cryptography tls protocols

asked Jul 10 '11 at 16:40

jrdioko

13,011
7
29
38

563

votes

20 answers

How can I explain SQL injection without technical jargon?

I need to explain SQL injection to someone without technical training or experience. Can you suggest any approaches that have worked well?

sql-injection

asked Dec 20 '12 at 04:06

torayeff

4,535
4
16
15

554

votes

3 answers

Why can I log in to my Facebook account with a misspelled email/password?

I've been playing around with different login forms online lately to see how they work. One of them was the Facebook login form. When I logged out of my account my email and password were autocompleted by my browser. Then I decided to misspell my…

authentication account-security facebook

asked Aug 06 '19 at 21:26

aMJay

3,615
5
11
20

543

votes

11 answers

Is my developer's home-brew password security right or wrong, and why?

A developer, let's call him 'Dave', insists on using home-brew scripts for password security. See Dave's proposal below. His team spent months adopting an industry standard protocol using Bcrypt. The software and methods in that protocol are not…

passwords hash bcrypt algorithm

asked Dec 18 '12 at 14:51

nallenscott

4,699
3
12
8

535

votes

18 answers

Police forcing me to install Jingwang spyware app, how to minimize impact?

Chinese police are forcing whole cities to install an Android spyware app Jingwang Weishi. They are stopping people in the street and detaining those who refuse to install it. Knowing that I may be forced to install it sooner or later, what are my…

android mobile spyware surveillance

asked Sep 24 '18 at 13:21

Citizen

2,711
3
7
6

500

votes

8 answers

RSA vs. DSA for SSH authentication keys

When generating SSH authentication keys on a Unix/Linux system with ssh-keygen, you're given the choice of creating a RSA or DSA key pair (using -t type). What is the difference between RSA and DSA keys? What would lead someone to choose one over…

encryption cryptography authentication key-management ssh

asked Jul 08 '11 at 23:22

jrdioko

13,011
7
29
38

468

votes

13 answers

Are passwords stored in memory safe?

I just realized that, in any language, when you save a password in a variable, it is stored as plain text in the memory. I think the OS does its job and forbids processes from accessing each other's allocated memory. But I also think this is somehow…

passwords operating-systems memory

asked Jan 14 '13 at 19:30

Antoine Pinsard

4,597
4
15
27

448

votes

14 answers

Is it bad practice to use your real name online?

On some accounts I use my real name on-line (Google+/Facebook/Wikipedia/personal blog), others (Q&A/Gaming) I use an alias. My question is: Security and privacy wise, what can people do with my real name? What are the dangers of using your real name…

privacy anonymity opsec persec

asked Dec 06 '13 at 11:36

blade19899

3,601
3
13
18

Most Popular