Highest Voted Questions - IT Security Stack Exchange

112

votes

8 answers

Why refresh CSRF token per form request?

In many tutorials and guides I see that a CSRF token should be refreshed per request. My question is why do I have to do this? Isn't a single CSRF token per session much easier than generating one per request and keeping track of the ones…

csrf

asked Oct 20 '12 at 11:15

Philipp Gayret

1,433
2
11
14

112

votes

6 answers

Why should I offer HTTP in addition to HTTPS?

I am setting up a new webserver. In addition to TLS/HTTPS, I'm considering implementing Strict-Transport-Security and other HTTPS-enforcement mechanisms. These all seem to be based on the assumption that I am serving http://www.example.com in…

asked Apr 18 '17 at 13:00

lofidevops

3,630
7
26
32

111

votes

5 answers

Should we store accesstoken in our database for oauth2?

I have a requirement to implement Facebook and Google login in my web application. I also need to access a user's Facebook/Google+ friend list. I have gone through the complete OAuth2 documentation of Facebook and Google. I understood the basic…

asked Nov 07 '14 at 01:34

Deepak Kumar Padhy

1,228
2
9
7

111

votes

13 answers

Why do sites implement locking after three failed password attempts?

I know the reasoning behind not letting infinite password attempts - brute force attempts is not a meatspace weakness, but a problem with computer security - but where did they get the number three from? Isn't denial of service a concern when…

asked Nov 19 '10 at 00:45

Bradley Kreider

6,192
2
25
36

111

votes

13 answers

Secure way to log in to a website on someone else's computer

Suppose I am in a situation that I am forced to log in to my account using someone else's computer. Is there any secure way to do that so that I would be sure that my login details (i.e. password) are not recorded by any means (e.g. keystroke…

authentication

asked Nov 29 '18 at 16:44

today

1,081
2
7
8

111

votes

11 answers

"Username and/or Password Invalid" - Why do websites show this kind of message instead of informing the user which one was wrong?

Lets say a user is logging into a typical site, entering their username and password, and they mistype one of their inputs. I have noticed that most, if not all, sites show the same message (something along the lines of, "Invalid username or…

asked Jul 30 '12 at 08:40

bobble14988

1,375
3
9
12

111

votes

7 answers

What is the difference between Federated Login and Single Sign On?

What is the difference between Federated Login and Single Sign On authentication methods?

asked Apr 16 '12 at 05:12

c card

1,213
2
9
4

111

votes

5 answers

What should I do about Gmail ad asking me for password?

I just got a pop-up after having logged on to Gmail. It said it was from https://googleads.g.doubleclick.net and asked for username and password. What should I do about this? Has anyone else seen this? I did press cancel, nothing happened. The only…

asked Jun 21 '16 at 08:09

morten

881
2
6
5

110

votes

6 answers

Why can't I MitM a Diffie-Hellman key exchange?

After reading the selected answer of "Diffie-Hellman Key Exchange" in plain English 5 times I can't, for the life of me, understand how it protects me from a MitM attack. Given the following excerpt (from tylerl's answer): I come up with two prime…

asked Jun 15 '15 at 20:40

orokusaki

1,362
2
10
13

110

votes

5 answers

What kinds of encryption are _not_ breakable via Quantum Computers?

There's the recent article NSA seeks to build quantum computer that could crack most types of encryption. Now I'm not surprised by the NSA trying anything1, but what slightly baffles me is the word "most" - so, what encryption algorithms are known…

asked Jan 03 '14 at 14:15

Tobias Kienzler

7,868
11
44
71

109

votes

5 answers

Can simply decompressing a JPEG image trigger an exploit?

The novel Daemon is frequently praised for being realistic in its portrayal rather than just mashing buzzwords. However, this struck me as unrealistic: Gragg's e-mail contained a poisoned JPEG of the brokerage logo. JPEGs were compressed image…

asked Aug 26 '15 at 19:00

JDługosz

1,149
2
7
12

109

votes

7 answers

Is saving passwords in Chrome as safe as using LastPass if you leave it signed in?

Justin Schuh defended Google's reasoning in the wake of this post detailing the "discovery" (sic) that passwords saved in the Chrome password manager can be viewed in plaintext. Let me just directly quote him: I'm the Chrome browser security tech…

asked Aug 19 '13 at 23:05

brentonstrine

1,269
2
10
13

109

votes

8 answers

Certificate based authentication vs Username and Password authentication

What are the advantages and drawbacks of the certificate based authentication over username and password authentication? I know some, but I would appreciate a structured and detailed answer. UPDATE I am interested as well in knowing what attacks are…

asked May 06 '11 at 13:35

Stefany

1,287
2
10
9

109

votes

12 answers

Why is it difficult to catch "Anonymous" or "Lulzsec" (groups)?

I'm not security literate, and if I was, I probably wouldn't be asking this question. As a regular tech news follower, I'm really surprised by the outrage of Anonymous (hacker group), but as a critical thinker, I'm unable to control my curiosity to…

asked Feb 21 '11 at 18:45

claws

2,175
5
19
23

109

votes

15 answers

How can I argue against: "System is unhackable so why patch vulnerabilities?"

An operating system has reached End of Support (EoS) so no more security patches are coming for the OS ever. An embedded device running this OS needs to be updated to a newer version. However, the engineers who designed the original product feel…

asked Dec 22 '17 at 09:33

Ken

1,101
2
7
5

Most Popular