IT Security Stack Exchange
IT Security Stack Exchange

Most Popular

more tags
1500 questions
98
votes
4 answers

What aspects of image preparation workflows can lead to accidents like Boris Johnson's No. 10 tweet's 'hidden message'?

The BBC reports that the image Boris Johson posted on Twitter to congratulate Joe Biden contains traces of the text "Trump" in the background. The BBC article links to a Guido Fawkes' article, and when I download the tweet's JPEG, convert to PNG…
uhoh
  • 1,385
  • 1
  • 11
  • 21
98
votes
13 answers

Why do we lock our computers?

It's common knowledge that if somebody has physical access to your machine they can do whatever they want with it1. So why do we always lock our computers? If somebody has physical access to my computer, it doesn't really matter if it's locked or…
Tom Marthenal
  • 3,272
  • 4
  • 22
  • 26
98
votes
9 answers

Can a virus destroy the BIOS of a modern computer?

In the late 1990s, a computer virus known as CIH began infecting some computers. Its payload, when triggered, overwrote system information and destroyed the computer's BIOS, essentially bricking whatever computer it infected. Could a virus that…
user73910
  • 791
  • 1
  • 5
  • 7
98
votes
8 answers

Can anyone provide references for implementing web application self password reset mechanisms properly?

We are implementing self password reset on a web application, and I know how I want to do it (email time limited password reset URL to users pre-registered email address). My problem is that I can't find any references to point the developers at…
bdg
  • 1,162
  • 1
  • 8
  • 9
98
votes
3 answers

What's the advantage of using PBKDF2 vs SHA256 to generate an AES encryption key from a passphrase?

I'm looking at two comparable pieces of software which encrypt data on disk using a passphrase. One uses PBKDF2 to generate the encryption key from a passphrase, while the other uses two rounds of SHA256. What's the difference? Is one preferred over…
Andrey Fedorov
  • 1,303
  • 1
  • 10
  • 12
98
votes
7 answers

Attacker circumventing 2FA. How to defend?

Detailed in the latest NSA dump is a method allegedly used by Russian intelligence to circumvent 2FA. (In this instance Google 2FA with the second factor being a code.) It’s a fairly obvious scheme and one that I’m sure must be used regularly. It…
TheJulyPlot
  • 7,669
  • 6
  • 30
  • 44
98
votes
14 answers

Should I tell my boss I have discovered their passwords and they are too weak?

I'm on a temporary job so they don't give me any passwords to access the sites and resources I need. Instead, they tell me to move to another computer where a regular employee is and where every password is already set and saved on the browser. I…
sysfiend
  • 2,364
  • 4
  • 14
  • 22
98
votes
13 answers

Is a 6 digit numerical password secure enough for online banking?

My bank went through a major redesign of their customer online banking system recently. The way security is managed across the platform was also reviewed. The password I am able to set now to log in is forced to be 6 digits long, numerical. This…
mika
  • 963
  • 1
  • 7
  • 9
97
votes
8 answers

How can I protect my internet-connected devices from discovery by Shodan?

There's been a lot of buzz around this recent CNN article about Shodan, a search engine that can find and allow access to unsecured internet-connected devices. Shodan runs 24/7 and collects information on about 500 million connected devices and…
Aarthi
  • 901
  • 1
  • 9
  • 10
97
votes
4 answers

What is ECDHE-RSA?

What is the difference between ECDHE-RSA and DHE-RSA? I know that DHE-RSA is (in one sentence) Diffie Hellman signed using RSA keys. Where DH is used for forward secrecy and RSA guards against MITM, but where do the elliptic curves in ECDHE-RSA are…
Hubert Kario
  • 3,708
  • 3
  • 27
  • 34
97
votes
7 answers

Does FTPS (FTP+S) offer better security than SFTP on the server side?

I had an exchange with some third party sysadmin yesterday regarding the setup of a file transfer interface between our servers. I suggested using SFTP because our application has good support for it. My interlocutor absolutely wants FTP+S (FTP+TLS)…
Stéphane C.
  • 972
  • 1
  • 7
  • 8
97
votes
7 answers

How does hacking work?

I am specifically talking about web servers, running Unix. I have always been curious of how hackers get the entry point. I mean I don't see how a hacker can hack into the webpage when the only entry method they have into the server is a URL. I must…
user7360
97
votes
2 answers

Is it bad that my ed25519 key is so short compared to a RSA key?

I recently generated a new SSH key in the ed25519 format. The public key is only 69 bytes long while my old RSA key is 373 bytes. From my perception ed25519 is the more recent and secure format. So why isn't longer better here?
Alex
  • 1,207
  • 1
  • 10
  • 9
97
votes
10 answers

If a provider sees the last 4 characters of my password, can they see it in full?

I have some domains/websites as well as emails with Bluehost. Every time I need support, they need the last 4 characters of my main password for the account. They cannot tell me how they store the password, so I am intrigued in how they could…
rhymsy
  • 1,212
  • 1
  • 10
  • 15
96
votes
6 answers

Are GUIDs safe for one-time tokens?

I see a lot of sites use GUIDs for password resets, unsubscribe requests and other forms of unique identification. Presumably they are appealing because they are easy to generate, unique, non-sequential and seem random. But are they safe enough for…
Michael Haren
  • 1,062
  • 1
  • 7
  • 7
1 2 3
99 100