IT Security Stack Exchange
IT Security Stack Exchange

Most Popular

more tags
1500 questions
109
votes
3 answers

How does DuckDuckGo know my native language even though I am using a VPN in a country with a different language?

I recently started using a VPN and I've felt more comfortable browsing the Internet. My VPN allows me to select another country through which my traffic is routed to make it appear I'm located in that particular country. "What's my IP" and similar…
S. Rotos
  • 1,023
  • 2
  • 7
  • 5
109
votes
8 answers

My school wants to keep the details of our door authentication system a secret. Is that a good idea?

So, I am designing a door authentication system (can't really go into more detail) for our school, so that only authenticated persons can go through a certain internal door. They hold that its inner working should be kept a secret, so that no one…
Christopher King
  • 2,937
  • 4
  • 17
  • 29
108
votes
17 answers

Is "password knocking" a good idea?

With port knocking, you have to "knock" on specific ports in defined order to expose a port on which service is running. How about password knocking? For example you have three passwords: A, B and C. None of them is correct by itself, but entered…
gronostaj
  • 1,300
  • 2
  • 10
  • 17
108
votes
4 answers

Now that it is 2015, what SSL/TLS cipher suites should be used in a high security HTTPS environment?

It has become quite difficult to configure an HTTPS service that maintains "the ideal transport layer". How should an HTTPS service be configured to permit some reasonable level of compatibility while not being susceptible to even minor attacks? TLS…
rook
  • 47,238
  • 10
  • 96
  • 182
108
votes
8 answers

Why do I hear about so many Java insecurities? Are other languages more secure?

I really like the Java programming language, but I continuously hear about how insecure it is. Googling 'java insecure' or 'java vulnerabilities' brings up multiple articles talking about why you should uninstall or disable Java to protect your…
gsgx
  • 1,215
  • 2
  • 12
  • 13
108
votes
4 answers

Suspicious GitHub fork

Update (April 15): The forked repo and the user do not exist any more. Yesterday, one of my GitHub projects was forked and there is a suspicious commit on the fork of the repo. As you can see from the commit the GitHub Actions configuration installs…
Giorgi
  • 913
  • 2
  • 4
  • 12
108
votes
1 answer

In 2018, what is the recommended hash to store passwords: bcrypt, scrypt, Argon2?

There are many questions about picking a hash function, including How to securely hash passwords? or Are there more modern password hashing methods than bcrypt and scrypt?, with very detailed answers, but most of them date quite a bit. The consensus…
jcaron
  • 3,615
  • 2
  • 17
  • 23
108
votes
5 answers

How can waiting 24 hours to change the password again be secure?

So I managed to change my password on a service to the "wrong" password, for simplicity let's just say I changed it to an insecure password. Now, I wanted to change it to a more secure password but instead I got a nice error message: The password…
ZN13
  • 948
  • 2
  • 6
  • 10
108
votes
7 answers

Is social-engineering an actual threat

I've recently finished book The Art of Deception: Controlling the Human Element of Security by Kevin Mitnick The book was released on 4th December 2002. Not talking only about techniques described in this book, but are the ways used by…
Marek Sebera
  • 2,233
  • 3
  • 21
  • 27
107
votes
13 answers

Why is client-side hashing of a password so uncommon?

There are very few websites that hash the users password before submitting it to the server. Javascript doesn't even have support for SHA or other algorithms. But I can think of quite a few advantages, like protection against cross-site leaks or…
Maestro
  • 1,183
  • 2
  • 8
  • 8
107
votes
5 answers

Should websites be allowed to disable autocomplete on forms or fields?

Currently, there is an HTML form/input attribute called autocomplete, which, when set to off, disables autocomplete/autofill for that form or element. Some banks seem to use this to prevent password managers from working. These days sites like Yahoo…
Manishearth
  • 8,317
  • 5
  • 37
  • 56
107
votes
15 answers

At what point does something count as 'security through obscurity'?

So, I keep finding the conventional wisdom that 'security through obscurity is no security at all', but I'm having the (perhaps stupid) problem of being unable to tell exactly when something is 'good security' and when something is just 'obscure'. I…
root
  • 1,537
  • 3
  • 12
  • 20
107
votes
8 answers

Ex-contractor published company source code and secrets online

Just found my current company code on the plain internet. We are talking hundreds of thousands of lines of scripts and configurations, including database schemas and a fair amount of internal information. Looks like an archive of some project(s),…
user5994461
  • 1,296
  • 3
  • 13
  • 12
107
votes
5 answers

Being told my "network" isn't PCI compliant. I don't even have a server! Do I have to comply?

We are a brick and mortar company... literally. We are brick masons. At our office we connect to the internet through our cable modem provided to us by Spectrum Business. Our Treasurer uses a Verifone vx520 card reader to process credit card…
user3512967
  • 793
  • 2
  • 5
  • 6
107
votes
7 answers

School performs periodic password audits. Is my password compromised?

My university sent me an email informing me that, during a "periodic check", my password was found to be "easily discoverable and at risk of compromise". As I understand it, there shouldn't be a way for them to periodically check my password unless…
GB1553
  • 843
  • 2
  • 6
  • 8
1 2 3
99 100