Collaborate Disseminate
Ok- so you all probably know that a hash is used to help secure a stored password in a database, if it was stolen.
When a user logs in, and enters a password, it gets hashed, and then matched to a hash in the name of the user that tried to… Continue reading How do databases/companies change their hashing algorithm? [duplicate]
Are there any risks to writing down your digital passwords on physical paper?
I am asking because I once saw on a website that you shouldn’t do this…
Any ideas, because I just really don’t see how anyone could steal them, unless a burglar … Continue reading Security implication of writing down passwords [duplicate]
In this Help Net Security interview, Charlotte Wylie, SVP and Deputy CSO at Okta, discusses the challenges of managing user identities across hybrid IT environments. She emphasizes balancing and adopting comprehensive security controls, including cloud… Continue reading Strategies for secure identity management in hybrid environments
I’m working on a project that requires offline functionality, including offline login and secure data manipulation. I’d appreciate feedback on my chosen approach and best practices for secure design.
Scenario:
Users need to perform CRUD op… Continue reading Secure Offline Login and Data Encryption with PBKDF2 and AES-256
A while ago I wanted to deploy a service using a OCI (docker/podman) container, and I noticed to me, what seemed like a possibly distributing trend. In the build file for a lot of the containers, the password is put there in plain text in … Continue reading Passwords/password hashes in plaintext in service configs – why is this common practice?
I have received many security emails from LinkedIn over the past few weeks. An example is shown below (redaction mine)
I do not live in the USA and I did not try to access LinkedIn at the times these were received.
Two things suggested to… Continue reading Is it bad practice to prompt users to reset password when there is no evidence of a breach?
We have an application that holds a bunch of passwords in an encrypted vault for various purposes. What is the best practice for storing the key for that vault? There feels like there’s a bootstrapping problem where the master key needs to… Continue reading Sharing the key to a password vault securely
so I checked my passwords with the Google Password Manager integrated into Chrome.
Google shows me Passwords as "hacked" that https://haveibeenpwned.com/Passwords says are fine, and also Google lists Passwords as okay/weak that h… Continue reading Google Password Manager vs Have I Been Pwned [closed]
If I have a program that runs on a regular basis, such as a cron job or systemd timer and it needs to access a secure resource like a hsm or encrypted database, what are the best practices to store/access the credentials to it?
I use a password manager and have a browser plugin installed for it to simplify entering passwords into websites. I recently encountered a website (enterprise SaaS solution I use at work), which actively blocks password managers from auto… Continue reading Why would website block password manager auto-fill?