IT Security Stack Exchange
IT Security Stack Exchange

Most Popular

more tags
1500 questions
247
votes
18 answers

Passwords being sent in clear text due to users' mistake in typing it in the username field

Upon reviewing the Logs generated by different SIEMs (Splunk, HP Logger Trial and the AlienVault platform’s SIEM) I noticed that for some reason quite a few users tend to make the mistake of typing their passwords in the username field, either in…
Lex
  • 4,247
  • 4
  • 19
  • 27
244
votes
14 answers

My college is forcing me to install their SSL certificate. How to protect my privacy?

My college administration is forcing us to install Cyberoam Firewall SSL certificate so that they can view all the encrypted traffic to "improve our security". If I don't install the certificate than I won't be able to use their network. What are…
svetaketu
  • 2,151
  • 2
  • 9
  • 5
242
votes
6 answers

Is Telegram secure?

There is a new WhatsApp-killer application called Telegram. They said that it's open source and that it has a more secure encryption. But they store all the messages in their servers and WhatsApp doesn't store any messages in any server, only a…
ilazgo
  • 2,743
  • 4
  • 12
  • 10
241
votes
5 answers

What is the difference between https://google.com and https://encrypted.google.com?

Is it there any difference between the encrypted Google search (at https://encrypted.google.com) and the ordinary HTTPS Google search (at https://google.com)? In terms of security what were the benefits of browsing through encrypted Google…
BlueBerry - Vignesh4303
  • 5,107
  • 13
  • 34
  • 63
241
votes
4 answers

What is the difference between authorized_keys and known_hosts file for SSH?

I am learning the basics of SSH protocol. I am confused between the contents of the following 2 files: ~/.ssh/authorized_keys: Holds a list of authorized public keys for servers. When the client connects to a server, the server authenticates the…
Ankit
  • 2,623
  • 4
  • 15
  • 9
241
votes
12 answers

Is single quote filtering nonsense?

Penetration testers found out that we allow single quotes in submitted data fields, and want us to apply rules (input validation) to not allow them in any value. While I'm aware that single quotes are popular for SQL injection attacks, I strongly…
Peter Walser
  • 1,781
  • 2
  • 11
  • 9
239
votes
3 answers

What are ssh-keygen best practices?

Most users would simply type ssh-keygen and accept what they're given by default. But what are the best practices for generating ssh keys with ssh-keygen? For example: Use -o for the OpenSSH key format rather than the older PEM format (OpenSSH 6.5…
Tom Hale
  • 2,545
  • 3
  • 9
  • 11
238
votes
7 answers

All 0s (zeros) in a bank card's CVC code

My bank card recently expired. I got a new one and this one turned out to be "lucky": its CVC code was 000. For a few months I used it extensively, both online and offline, without any difficulties - until the day when I entered my card details on…
Vlad Nikiforov
  • 2,023
  • 2
  • 6
  • 9
237
votes
10 answers

Is "the oft-cited XKCD scheme [...] no longer good advice"?

I was stumbling around and happened onto this essay by Bruce Schneier claiming that the XKCD password scheme was effectively dead. Modern password crackers combine different words from their dictionaries: [...] This is why the oft-cited XKCD scheme…
Nick T
  • 3,382
  • 4
  • 21
  • 28
237
votes
11 answers

Why is Math.random() not designed to be cryptographically secure?

The JavaScript Math.random() function is designed to return a single IEEE floating point value n such that 0 ≤ n < 1. It is (or at least should be) widely known that the output is not cryptographically secure. Most modern implementations use the…
forest
  • 64,616
  • 20
  • 206
  • 257
236
votes
3 answers

Why did I have to wave my hand in front of my ID card?

I recently had to authenticate myself online to use an internet-based service. The authentication process was done via video call with me holding my ID card in front of my laptop camera beside my face. I also had to wiggle the ID card so the person…
Tom K.
  • 7,913
  • 3
  • 30
  • 53
234
votes
7 answers

Why would you not permit Q or Z in passwords?

Jetblue's password requirements specify that, among other stringent requirements: Cannot contain a Q or Z I can't fathom a logical reason for this, unless it were say, extremely common for the left side of keyboards to break, but then you wouldn't…
Mark Mayo
  • 1,903
  • 3
  • 12
  • 10
234
votes
15 answers

Where do you store your personal private GPG key?

So, I want to start using pass, but I need a GPG key for this. This application will store all of my passwords, which means it's very important that I don't lose my private key, once generated. Hard disks break, cloud providers are generally not…
Florian Margaine
  • 2,465
  • 3
  • 13
  • 10
234
votes
7 answers

Should I use CSRF protection on Rest API endpoints?

Quick note: this is not a duplicate of CSRF protection with custom headers (and without validating token) despite some overlap. That post discusses how to perform CSRF protection on Rest endpoints without discussing if it is actually necessary. …
Conor Mancone
  • 29,899
  • 13
  • 91
  • 96
233
votes
8 answers

What is the difference between SSL vs SSH? Which is more secure?

What is the difference between SSH and SSL? Which one is more secure, if you can compare them together? Which has more potential vulnerabilities?
Am1rr3zA
  • 3,043
  • 4
  • 17
  • 14
1 2 3
99 100