Collaborate Disseminate
I just found out that an e-commerce platform (similar to Shopify) I was planning on using allows me to see my password. I know I can’t assume anything and I should (probably) just run away from it, but it got me curious: is there a way to … Continue reading Encrypting a password with its own hash
I have recently been introduced to GPG signing as a better way of verifying data than hashing. It was described that if you posted the hash of the file, someone could hack your website, alter the hash and publish a different binary and you… Continue reading Main Reasons for GPG over hashing for verification
Suppose that we want to sign a big message, the signature performs a hash calculation, is it insecure to hash the message before the signature meaning to double hash the message?
As after the first hash the input space is reduced than the … Continue reading Hash of hash for signing a big message [closed]
apt InRelease files update like twice every day, in ubuntu repositories and their mirrors. similarly in ubuntu and debian based distros, and other apt repositories. these files are small text files that contain hashes of other [fresh] text… Continue reading how to document and check apt inrelease files? are there blockchain records for that?
HTTP basic auth sends credentials un-hashed and unencrypted over the wire, relying on TLS for confidentiality in transit. However, should the password be stored hashed using a standard KDF in the backend for comparison on receipt?
Continue reading Should http basic auth passwords be stored hashed serverside?
One way to secure a password in the database is to hash it with salt i.e. appending a random string to the password and then hash it and store the value.
Does encrypting the password || salt then hashing it make it more secure? Is it reall… Continue reading Is adding encryption before hashing more secure?
In PHP a magic hash attack happens when loose type comparisons cause completely different values to be evaluated as equal, causing a password "match" without actually knowing the password. Here is an example:
<?php
if (hash(‘m… Continue reading Magic hash attack in JavaScript
A website has some bruteforce prevention for logins, and I need to turn that off because it’s buggy and it’s causing problems. It will stay turned off, probably forever, because there are no plans to do any maintenance on that website. It’… Continue reading Locking accounts using the same strong hash in the database
I was looking into this code base (https://github.com/vstoykovbg/doubleslow) and the following phrase caught my attention:
DANGER of catastrophic data loss! One bit flip (due to cosmic rays for example) can make the result of the hash fun… Continue reading How likely is to have a hash function output flip a bit?
While reading this question, it got me to thinking.
Let’s say an attacker has some way to make all of their login attempts appear legitimate – enough IP addresses to never reuse them, different valid browser UA strings on each request matc… Continue reading Avoid strong password hashing functions aiding a DDoS attempt on oneself [duplicate]