Collaborate Disseminate
I’ve heard a lot of people say that the Web Crypto API is not very safe. For example: https://tonyarcieri.com/whats-wrong-with-webcrypto, Problems with in Browser Crypto. However, I’m looking to use the Web Crypto API for a completely diff… Continue reading Is the Web Crypto API secure when the server is trusted?
A consumer’s online account where they login and input their passwords is a very lucrative target for cybercriminals. In this Help Net Security video, David Senecal, VP of Architecture and Research at Arkose Labs, talks about the economics involv… Continue reading What type of fraud enables attackers to make a living?
It’s a well-known fact that humans are the weakest link in any security strategy. Verizon’s latest annual data breach report found that over 80% of breaches in the “Basic Web Application Attacks” incident pattern were due to stolen credentials. Not sur… Continue reading Overcoming the roadblocks to passwordless authentication
I was discussing with a non-IT friend after he came to me with a question regarding security and password change.
As he puts it: "Why do websites ask me to re-authenticate after a password change? I just provided both the old and the … Continue reading Why would websites ask users to reauthenticate after a password change?
What are the alternatives of storing tokens when password managers are discouraged?
Some of the ideas that come to my mind are storing in a text file and encrypting with GnuPG but that’s asks for extra password.
Slack has confirmed that a security vulnerability accidentally exposed the… Continue reading Slack Releases Fix for Critical Bug That Exposed Hashed Passwords for Years
I wonder if there will be (or is) a way to hide data such as passwords from the HTML/DOM structure? As, password fields can hide from external person other than the main user with something like "••••••••" but this does not preve… Continue reading Why is not there encrypted way of sharing/showing data such as Password to the user (hidden from web app Source code)?
A huge problem is PIN guessing from birthdays (dd/mm/yy lends to a 6 digit number that is easily guessed, dd/mm/yyyy for 8 digits). It’s very often that a PIN number is taken from someone’s birthday or year, either their own or relatives. … Continue reading Why are PIN codes usually even-numbered (4 or 6)?
A huge problem is PIN guessing from birthdays (dd/mm/yy lends to a 6 digit number that is easily guessed, dd/mm/yyyy for 8 digits). It’s very often that a PIN number is taken from someone’s birthday or year, either their own or relatives. … Continue reading Why are PIN codes usually of even length (4 or 6)?
Picture a state of the art implementation of a website registration and login system.
I’m interested in analyzing what a defender gains and loses by feeding the user password to a key-stretching KDF function (e.g. argon2).
Let’s start from… Continue reading On the gains and losses of an additional client side stretching of the user password