IT Security Stack Exchange
IT Security Stack Exchange

Most Popular

more tags
1500 questions
107
votes
5 answers

Should we store accesstoken in our database for oauth2?

I have a requirement to implement Facebook and Google login in my web application. I also need to access a user's Facebook/Google+ friend list. I have gone through the complete OAuth2 documentation of Facebook and Google. I understood the basic…
Deepak Kumar Padhy
  • 1,178
  • 2
  • 8
  • 7
107
votes
5 answers

Should websites be allowed to disable autocomplete on forms or fields?

Currently, there is an HTML form/input attribute called autocomplete, which, when set to off, disables autocomplete/autofill for that form or element. Some banks seem to use this to prevent password managers from working. These days sites like Yahoo…
Manishearth
  • 8,237
  • 5
  • 34
  • 56
107
votes
8 answers

Certificate based authentication vs Username and Password authentication

What are the advantages and drawbacks of the certificate based authentication over username and password authentication? I know some, but I would appreciate a structured and detailed answer. UPDATE I am interested as well in knowing what attacks are…
Stefany
  • 1,267
  • 2
  • 10
  • 9
107
votes
10 answers

Should I change the private key when renewing a certificate?

My security department insists that I (the system administrator) make a new private key when I want a SSL certificate renewed for our web servers. They claim it's best practice, but my googling attempts have failed to verify their claim. What is the…
Commander Keen
  • 1,173
  • 2
  • 7
  • 6
107
votes
8 answers

Why refresh CSRF token per form request?

In many tutorials and guides I see that a CSRF token should be refreshed per request. My question is why do I have to do this? Isn't a single CSRF token per session much easier than generating one per request and keeping track of the ones…
Philipp Gayret
  • 1,383
  • 2
  • 10
  • 14
107
votes
12 answers

Why is it difficult to catch "Anonymous" or "Lulzsec" (groups)?

I'm not security literate, and if I was, I probably wouldn't be asking this question. As a regular tech news follower, I'm really surprised by the outrage of Anonymous (hacker group), but as a critical thinker, I'm unable to control my curiosity to…
claws
  • 2,145
  • 5
  • 19
  • 22
107
votes
5 answers

Being told my "network" isn't PCI compliant. I don't even have a server! Do I have to comply?

We are a brick and mortar company... literally. We are brick masons. At our office we connect to the internet through our cable modem provided to us by Spectrum Business. Our Treasurer uses a Verifone vx520 card reader to process credit card…
user3512967
  • 793
  • 2
  • 5
  • 6
107
votes
7 answers

Is it safe to give my email address to a service like haveibeenpwned in light of the publication of "Collection #1"?

There is a new big case of stolen login/password data in the news. At the same time, I am reading that there are services that let you check if your own login data is affected, e.g. Have I Been Pwned. Is it safe to enter my email address there to…
godwana
  • 931
  • 2
  • 5
  • 4
107
votes
19 answers

Defence methods against tailgating

This is a follow-up question to this one: Roles to play when tailgaiting into a residential building How do you protect yourself or your company against tailgaters? What is the best answer when you are asked by, let's say the delivery guy, to let…
Lithilion
  • 1,669
  • 2
  • 7
  • 16
107
votes
5 answers

Confirmed evidence of cyber-warfare using GPS history data

In its recent policy, the US Department of Defense has prohibited the use of GPS-featured devices for its overseas personnel. They explain it with a theory that commercial devices like smartphones or fitness trackers can store the geo-position (GPS)…
Be Brave Be Like Ukraine
  • 1,053
  • 3
  • 9
  • 16
107
votes
2 answers

Is a redirect showing the password in plain text a security vulnerability?

A couple of days ago, I attempted to log into the website of a well-known SaaS provider. I used a password manager on my browser (so user/pass were correct) and the NoScript plugin which had limited permissions granted to the site so some JS was…
markdwhite
  • 1,023
  • 2
  • 6
  • 7
107
votes
3 answers

How does DuckDuckGo know my native language even though I am using a VPN in a country with a different language?

I recently started using a VPN and I've felt more comfortable browsing the Internet. My VPN allows me to select another country through which my traffic is routed to make it appear I'm located in that particular country. "What's my IP" and similar…
S. Rotos
  • 1,003
  • 2
  • 6
  • 5
107
votes
5 answers

How can waiting 24 hours to change the password again be secure?

So I managed to change my password on a service to the "wrong" password, for simplicity let's just say I changed it to an insecure password. Now, I wanted to change it to a more secure password but instead I got a nice error message: The password…
ZN13
  • 928
  • 2
  • 6
  • 10
107
votes
15 answers

Why did customer services say using symbols in a password is insecure?

I am using an online service that I recently had to reset my password because I forgot it. When I went to change password I wanted to use one with a symbol !@£$%^&*(). When I clicked "confirm password" it displayed "_Invaid Data" to me which I…
iProgram
  • 1,187
  • 3
  • 9
  • 15
106
votes
11 answers

How dangerous is it to reveal your date of birth, and why?

At some point I told a friend that it's dangerous to reveal your birth date (kind of like your social security number or your mother's maiden name), because it's a crucial piece of information for identity theft. However, I'm not sure what exactly…
user541686
  • 2,502
  • 2
  • 21
  • 28
1 2 3
99 100