IT Security Stack Exchange
IT Security Stack Exchange

Most Popular

more tags
1500 questions
232
votes
10 answers

Is there any reason to disable paste password on login?

Today I logged in to pay my cellphone bill, and I found that the site has disabled paste functionality in password field. I'm a webdev and I know how to fix this, but for regular user is REALLY annoying having to type a random password like…
IAmJulianAcosta
  • 2,445
  • 2
  • 14
  • 18
229
votes
15 answers

Tracing the location of a mobile IP from an email

I'm a TV scriptwriter - and not hugely tech-savvy, so please bear with me... If the police have an email, sent by a suspect over a 3G or 4G network, could they use the IP address (since they know when it was sent) to find out - from the service…
kjh03
  • 1,681
  • 2
  • 9
  • 5
226
votes
1 answer

How exactly does the OpenSSL TLS heartbeat (Heartbleed) exploit work?

I've been hearing more about the OpenSSL Heartbleed attack, which exploits some flaw in the heartbeat step of TLS. If you haven't heard of it, it allows people to: Steal OpenSSL private keys Steal OpenSSL secondary keys Retrieve up to 64kb of…
user43639
225
votes
4 answers

Recommended # of iterations when using PBKDF2-SHA256?

I'm curious if anyone has any advice or points of reference when it comes to determining how many iterations is 'good enough' when using PBKDF2 (specifically with SHA-256). Certainly, 'good enough' is subjective and hard to define, varies by…
Tails
  • 2,438
  • 3
  • 14
  • 10
223
votes
13 answers

Is there any reason to not show users incorrectly entered passwords after a successful login?

Our client has come up with the requirement that in case the username in question has had multiple failed login attempts, the incorrectly entered password(s) must be shown once a successful login is performed. Correctly entered information,…
RaunakS
  • 2,043
  • 2
  • 9
  • 10
221
votes
9 answers

How should I distribute my public key?

I've just started to use GPG and created a public key. It is kind of pointless if no-one knows about it. How should I distribute it? Should I post it on my profile on Facebook and LinkedIn? How about my blog? What are the risks?
Roger C S Wernersson
  • 3,060
  • 4
  • 18
  • 12
214
votes
9 answers

Best Practice: ”separate ssh-key per host and user“ vs. ”one ssh-key for all hosts“

Is it better to create a separate SSH key for each host and user or just using the id_rsa key for all hosts to authenticate? Could one id_rsa be malpractice for the privacy/anonymity policies? having one ssh-key for all…
static
  • 2,239
  • 2
  • 12
  • 7
213
votes
5 answers

What is a specific example of how the Shellshock Bash bug could be exploited?

I read some articles (article1, article2, article3, article4) about the Shellshock Bash bug (CVE-2014-6271 reported Sep 24, 2014) and have a general idea of what the vulnerability is and how it could be exploited. To better understand the…
Rob Bednark
  • 1,435
  • 3
  • 10
  • 9
211
votes
10 answers

What should you do if you catch encryption ransomware mid-operation?

You boot up your computer one day and while using it you notice that your drive is unusually busy. You check the System Monitor and notice that an unknown process is using the CPU and both reading and writing a lot to the drive. You immediately do a…
Fiksdal
  • 3,076
  • 3
  • 18
  • 29
209
votes
4 answers

Is a rand from /dev/urandom secure for a login key?

Lets say I want to create a cookie for a user. Would simply generating a 1024 bit string by using /dev/urandom, and checking if it already exists (looping until I get a unique one) suffice? Should I be generating the key based on something else? Is…
Incognito
  • 5,204
  • 5
  • 27
  • 31
206
votes
7 answers

Does https prevent man in the middle attacks by proxy server?

There is a desktop client A connecting to website W in a https connection A --> W Somehow between A and W, there is a proxy G. A --> G --> W In this case, will G be able to get the certificate which A previously got from W? If G can get the…
jojo
  • 2,171
  • 3
  • 13
  • 4
205
votes
6 answers

How secure is 'blacking out' sensitive information using MS Paint?

I'm wondering if it's safe to black out sensitive information from a picture just by using Microsoft Paint? Let's take in this scenario that EXIF data are stripped and there is no thumbnail picture, so that no data can be leaked in such a way. But…
Mirsad
  • 10,005
  • 8
  • 33
  • 53
203
votes
7 answers

How do mobile carriers know video resolution over HTTPS connections?

Verizon is modifying their "unlimited" data plans. Customers in the USA can stream video at 480p -or- pay to unlock higher resolutions (both 720p and +1080p). They are not the only mobile carrier to implement rules like this. If I am on a site that…
raithyn
  • 1,833
  • 2
  • 7
  • 10
202
votes
10 answers

How safe are password managers like LastPass?

I use LastPass to store and use my passwords, so I do not have duplicate passwords even if I have to register four to five different accounts a day, and the passwords are long. How safe are password manager services like LastPass? Don't they create…
blended
  • 2,841
  • 3
  • 15
  • 16
202
votes
22 answers

How can I explain to non-techie friends that "cryptography is good"?

After that case in which Brazilian government arrested a Facebook VP due to end-to-end encryption and no server storage of messages on WhatsApp to prove connection with a drug case, it's become pretty common for friends of mine to start…
user28177
1 2 3
99 100