IT Security Stack Exchange
IT Security Stack Exchange

Most Popular

more tags
1500 questions
127
votes
3 answers

Recommended # of rounds for bcrypt

What is nowadays (July 2012) the recommended number of bcrypt rounds for hashing a password for an average website (storing only name, emailaddress and home address, but no creditcard or medical information)? In other words, what is the current…
Jason Smith
  • 1,551
  • 2
  • 11
  • 12
127
votes
2 answers

How is the Heartbleed exploit even possible?

I have read about the Heartbleed OpenSSL vulnerability and understand the concept. However what I don't understand is the part where we pass 64k as the length and the server returns 64kb of random data because it does not check whether we really…
Talha Sayed
  • 1,001
  • 2
  • 8
  • 8
127
votes
4 answers

Is it safe to include an API key in a request's URL?

Lately I've seen plenty of APIs designed like this: curl "https://api.somewebsite.com/v1/something&key=YOUR-API-KEY" Isn't it elementary that passing an API key in a query string as a part of the URL is not secure at least in HTTP.
Incerteza
  • 2,177
  • 3
  • 15
  • 22
127
votes
7 answers

Let's Encrypt for intranet websites?

Many companies have intranet websites that are not reachable via the internet. Usually they just use a self-signed certificate, which causes a bad habit for the users since they get used to just pressing OK on invalid CERT warnings. Question: How…
LoukiosValentine79
  • 1,531
  • 2
  • 11
  • 13
126
votes
10 answers

Does an ISO27001 audit require users to reveal their passwords?

My company's system administrator is asking for our passwords for an ISO audit and my VP IT operations support says it's mandatory for ISMS (ISO27001). Can someone confirm if this is true?
v_sukt
  • 1,322
  • 2
  • 7
  • 12
125
votes
5 answers

Is it a bad idea for a firewall to block ICMP?

This question was inspired by this answer which states in part: The generic firewall manifest file finishes off by dropping everything I didn't otherwise allow (besides ICMP. Don't turn off ICMP). But, is it truly a good practice for a firewall to…
Justin Ethier
  • 1,938
  • 3
  • 14
  • 20
125
votes
7 answers

My ISP uses deep packet inspection; what can they observe?

I found out that my ISP does deep packet inspection. Can they see the contents of HTTPS connections? Wouldn't having HTTPS ensure that they can't see the contents being transferred? And can having a VPN protect me against deep packet inspection by…
cppanonhelp666
  • 1,233
  • 2
  • 8
  • 6
125
votes
4 answers

How does ransomware get on people's computers?

I've noticed increased frequency of ransomware questions around Stack Exchange. Some of the people I remotely know had their devices recently infected as well. I'm starting to be concerned. When people ask me how to avoid viruses, I typically tell…
Tomáš Zato - Reinstate Monica
  • 1,237
  • 3
  • 11
  • 16
124
votes
8 answers

Are there technical differences which make Linux less vulnerable to virus than Windows?

What makes Linux so different than Windows in terms of anti-virus needs? My question is not if I should get an anti-virus for my Linux. I perfectly understand why an AV is important. I would like to understand if there are conceptual (technical)…
user69377
124
votes
3 answers

What's the purpose of DH Parameters?

For a Diffie–Hellman (D-H) key exchange (TLS) the server generates a prime p and a generator g, which is a primitive root modulo p. When setting up a webserver with SSL/TLS (e.g. nginx) one can use a directive ssl_dhparam dhparam4096.pem The…
Ben Richard
  • 3,006
  • 5
  • 16
  • 18
124
votes
10 answers

How critical is it to keep your password length secret?

Is keeping your password length secret critical to security? Does someone knowing that you have a password length of say 17 make the password drastically easier to brute force?
Crizly
  • 2,597
  • 4
  • 18
  • 29
124
votes
3 answers

Session Authentication vs Token Authentication

I am trying to get a handle on some terms and mechanisms and find out how they relate to each other or how they overlap. Authenticating a theoretical web application and mobile application is the focus. The focus is on the exact difference between…
Hoax
  • 2,705
  • 4
  • 13
  • 11
124
votes
7 answers

Is using Git for deploying a bad practice?

I tend to use Git for deploying production code to the web server. That usually means that somewhere a master Git repository is hosted somewhere accessible over ssh, and the production server serves that cloned repository, while restricting access…
Septagram
  • 1,343
  • 2
  • 9
  • 5
124
votes
5 answers

Why do phishing e-mails use faked e-mail addresses instead of the real one?

I read that you can write anything into the From: field of an e-mail. If that is true, then why are phishing e-mails trying to trick me with look-a-like addresses like service@amaz0n.com instead of just using the actual service@amazon.com itself?
JFB
  • 1,685
  • 3
  • 13
  • 11
124
votes
4 answers

What is the website checking about my browser to protect the website from a DDoS?

Some sites I visit take me to a page that says roughly, "Checking your browser before accessing example.com. DDoS attack protection by CloudFlare". What exactly about my browser is being checked and how will that help protect against a DDoS attack?
user133587
1 2 3
99 100