Most Popular

more tags

1500 questions

102

votes

10 answers

Does it improve security to use obscure port numbers?

I recently started a job at a small company where the CTO prefers to host SSH services at obscure, high numbered ports on our servers rather than the well known port 22. His rationale is that "it prevents 99% of script kiddy attacks." I'm curious…

asked Jul 17 '18 at 00:56

William Rosenbloom

1,536
2
7
12

102

votes

13 answers

Why is root security enforced but $HOME typically unprotected?

Coming from the comments in this question Why is it bad to log in as root?: The sudo mechanics is in use so non-administrative tools "cannot harm your system." I agree that it would be pretty bad if some github project I cloned was able to inject…

asked Feb 26 '18 at 16:00

phil294

1,032
2
7
11

102

votes

5 answers

Someone is trying to brute-force(?) my private mail server... very... slowly... and with changing IPs

This has been going on for about 1-2 days now: heinzi@guybrush:~$ less /var/log/mail.log | grep '^Nov 27 .* postfix/submission.* warning' [...] Nov 27 03:36:16 guybrush postfix/submission/smtpd[7523]: warning: hostname bd676a3d.virtua.com.br does…

asked Nov 27 '17 at 07:22

Heinzi

3,088
2
23
27

102

votes

5 answers

What is the specific reason to prefer bcrypt or PBKDF2 over SHA256-crypt in password hashes?

We know that to slow down password cracking in case a password database leak, passwords should be saved only in a hashed format. And not only that, but hashed with a strong and slow function with a possibility to vary the number of rounds. Often…

asked Aug 08 '16 at 12:21

ilkkachu

2,165
2
12
16

101

votes

6 answers

Are GUIDs safe for one-time tokens?

I see a lot of sites use GUIDs for password resets, unsubscribe requests and other forms of unique identification. Presumably they are appealing because they are easy to generate, unique, non-sequential and seem random. But are they safe enough for…

asked Nov 30 '10 at 15:25

Michael Haren

1,112
2
7
7

101

votes

5 answers

How can my employer be a man-in-the-middle when I connect to Gmail?

I'm trying to understand SSL/TLS. What follows are a description of a scenario and a few assumptions which I hope you can confirm or refute. Question How can my employer be a man-in-the-middle when I connect to Gmail? Can he at all? That is: is it…

asked Jul 17 '14 at 08:52

Lernkurve

1,144
3
9
10

101

votes

8 answers

Why do ATMs accept any PIN?

The other day I tried to withdraw some cash from an ATM in a hurry and punched in a wrong pin. I realized that only when I hit the "ok" button, but to my surprise the ATM did not complain. It showed the usual menu, asking me to select an operation.…

atm

asked Jul 01 '14 at 08:52

Andrew Savinykh

1,662
3
14
24

101

votes

2 answers

How do I get the RSA bit length with the pubkey and openssl?

I have a public key generated with ssh-keygen and I'm just wondering how I get information on the keylength with openssl?

asked Sep 11 '13 at 17:12

Evan Carroll

2,811
5
25
40

101

votes

2 answers

How many OpenPGP keys should I make?

I am learning how to use OpenPGP keys in GnuPG, and I am wondering what is the threshold people generally use to maintain separate OpenPGP keys. Maintaining an incredibly large number of keys is not good since it makes it difficult to be trusted by…

asked Jan 29 '13 at 04:48

user9117

101

votes

10 answers

How would disabling IPv6 make a server any more secure?

I was reading this article about hardening security on Linux servers, and in point #23, the article says: #23: Turn Off IPv6 Internet Protocol version 6 (IPv6) provides a new Internet layer of the TCP/IP protocol suite that replaces Internet…

asked Mar 20 '18 at 20:02

vakus

3,853
4
23
34

101

votes

5 answers

How to address bad password security policy from a large company?

I just went to reset my Western Digital password and they emailed me my plaintext password, instead of providing online form to let me change it. This is really concerning to me as the site accepts/processes payments for their drives, and I have…

asked Jul 03 '17 at 20:51

Douglas Gaskell

1,229
3
10
15

101

votes

6 answers

What is the purpose of confirming old password to create a new password?

Suppose that someone stole my password, he/she can easily change it by confirming the old password. So, I am curious that why do we need that step and what is the purpose of using old password confirmation?

asked Jun 15 '17 at 09:33

ronaldtgi

1,205
3
11
14

101

votes

4 answers

What is the difference between an X.509 "client certificate" and a normal SSL certificate?

I am setting up a web service through which my company will talk to a number of business customers' services. We will be exchanging information using SOAP. I would like to handle authentication with SSL certificates provided by both parties, but…

asked Jan 03 '11 at 18:38

Brandon Yarbrough

1,113
2
8
7

101

votes

8 answers

What could an "Most WAFs when blocking XSS will block obvious tags like script and iframe, but they don't block img. Theoretically, you can img src='OFFSITE URL', but what's the worse that can happen? I know you can steal IPs with it, but is that it?

asked Sep 01 '16 at 00:42

user1910744

1,053
2
8
6

101

votes

13 answers

Company computers for competent developers, how can you deal with them?

This is a follow up on Is there a legitimate reason I should be required to use my company’s computer. Mostly, because I see a huge issue in a couple of specific situations. Had I been in a position of the security engineer for an organization I…

asked Aug 30 '16 at 15:19

grochmal

5,877
4
21
31

Prev 1 2 3

…

99 100 Next