Collaborate Disseminate
I am studying for my RHCSA exam, and one of the topics is the ability to “change a forgotten root user password.” This is an official exam objective and even has official Redhat documentation.
How is this not a glaring secu… Continue reading Ability To Change Root User Password (Vulnerability?)
The NIST 800-63b password guidelines include password policy changes that can improve everyone’s experience with passwords, including eliminating the forced periodic password reset. The most publicized recommendation is throwing away password com… Continue reading Eliminating the Burden of Periodic Password Reset
Hugely popular news aggregation site Flipboard – one billion app downloads from Google Play and counting – has become the latest internet company to admit it has suffered a breach. Continue reading Flipboard data breach – what users should do now
Am doing a pen test on a client system using AWS Cognito and userpools for authentication using the client side SDK provided by AWS.
during the forget password flow, I noticed that Cognito request returns 400 with a payload … Continue reading Is detecting if an email has an account considered a vulnerability with AWS cognito?
Nobody got at the subset of G Suite passwords, Google said, apologizing and saying that it’s working to ensure this is an isolated incident. Continue reading Google stored some passwords in plain text for 14 years
I am not sure whether this community is right or not to represent my problem.
Suddenly my gmail app is asking for login again. When I tried to login it is showing me that your password is changed 2 hours ago. But I haven’t c… Continue reading How to recover gmail account without another email and contact number? [on hold]
I was pentesting a web app and while doing a password change, the client checks for the old password but not the server. Also they’ve a CSRF vulnerability. So would it be possible to post directly to the server and change the… Continue reading Is there a way to post directly to the server without going client side?
In my system, a new user must confirm his email.
But there is an edge case:
he registers
does not confirm
forgets password, performs password reset (which involves a mail loop)
At that point I know his email works – so I… Continue reading Safe to consider webapp user’s email as implicitly confirmed after a password reset?
One of my old email addresses was involved in the recent Whitepages breach disclosure.
I don’t remember on which websites I used that email address for registration, but I would like to reset my password everywhere possible. Websites could… Continue reading How do I reset passwords on multiple websites easily?
I’m not a security guy, so bear with me. As discussed in other topics, usernames in and of themselves are valid forms of verification, and there’s nothing particularly sensitive or secure about usernames. For example, in most… Continue reading Account Recovery: Displaying username without verification