Collaborate Disseminate
Even though the current recommendation for storing passwords is the usage of a slow key derivation function such as Argon2, scrypt, PBKDF2 or bcrypt1, many websites still use the traditional hash(password + salt) method, with… Continue reading How bad would a partial hash leak be, realistically?
Argon2 is the winner of the Password Hashing competition, and currently recommended by OWASP for secure storage of passwords.
One crucial step of Argon2 is determining the parameters used by the function. The current IETF draft titled &quo… Continue reading What are the minimum parameters for Argon2?
The Common Vulnerability Scoring System Version 3.0 rates the severity of vulnerability depending on factors such as:
Attack Vector (AV) – What kind of access does an attacker need? Can they do it over the net or do they ne… Continue reading How to rate CVSS3’s "Privileges Required" when an attacker can create an account?
Ever since CSP 3 introduced strict-dynamic, Google has recommended its usage. Indeed, the idea of maintaining one “root” script, which in turn loads all other necessary scripts, sets up event handlers, etc. instead of maintai… Continue reading Does it pose a problem to use ‘strict-dynamic’ with a hash and not a nonce?
I recently investigated best-practices in regards to passwords, and the overwhelming majority of sources recommended using a password manager. This is great advice, but not usable in every situation. Certain situations, such … Continue reading Is Diceware more secure than a long passphrase?
How can a Web Server such as nginx or Apache be fingerprinted, if only functional HTTP Headers are sent and error pages are replaced by custom ones?