Collaborate Disseminate
At my Company, we put a honeypot in our network and it raised us the Lansweeper SSH password used to connect to the scanned assets (and it is reusable over many boxes…).
So it is a way for an attacker to get sensitive passwords in a corp… Continue reading Is this Wikipedia article about SCRAM wrong?
The situation: Currently, we are sending out emails and SMS to our users, which include a link to a form that each user has to fill out on a regular basis (an "eDiary"). As we need to be able to authenticate and authorize the use… Continue reading What’s a "safe" URL shortening algorithm?
I had a discussion with a friend today about his password hash comparison. I argued that you can’t return false on the first hash mismatch you have and I sent him a link to an article about a Java timing attack that happened in Java 6.
pub… Continue reading Timing attacks in password hash comparisons
I want to prove that the source code I am using is the same as the open-sourced version, which is publicly available. My idea was to publish a hash of the open-sourced version and compare it to the hash of the deployed server at boot. Howe… Continue reading Cryptographically prove open sourced source code of server
I’m reading rfc5652, there are different references of the two algorithm identifiers.
For example in this ASN.1 structure :
https://tools.ietf.org/html/rfc5652#section-5.3
When using RSA for signing; isn’t the digest algorithm represents t… Continue reading What’s the difference between digest algorithm and signing algorithm? [migrated]
I just found out that an e-commerce platform (similar to Shopify) I was planning on using allows me to see my password. I know I can’t assume anything and I should (probably) just run away from it, but it got me curious: is there a way to … Continue reading Encrypting a password with its own hash
I have recently been introduced to GPG signing as a better way of verifying data than hashing. It was described that if you posted the hash of the file, someone could hack your website, alter the hash and publish a different binary and you… Continue reading Main Reasons for GPG over hashing for verification
Suppose that we want to sign a big message, the signature performs a hash calculation, is it insecure to hash the message before the signature meaning to double hash the message?
As after the first hash the input space is reduced than the … Continue reading Hash of hash for signing a big message [closed]
apt InRelease files update like twice every day, in ubuntu repositories and their mirrors. similarly in ubuntu and debian based distros, and other apt repositories. these files are small text files that contain hashes of other [fresh] text… Continue reading how to document and check apt inrelease files? are there blockchain records for that?
HTTP basic auth sends credentials un-hashed and unencrypted over the wire, relying on TLS for confidentiality in transit. However, should the password be stored hashed using a standard KDF in the backend for comparison on receipt?
Continue reading Should http basic auth passwords be stored hashed serverside?