Collaborate Disseminate
In this interview with Help Net Secuirty, Den Jones, CSO at Banyan Security, explains the benefits of implementing passwordless authentication and the process every organization has to go through when deploying such technology. Organizations have been … Continue reading How to become a passwordless organization
Just got an email that mentioned, in very broken english, having hacked my email etc. and actually managed to list my current password of that email account. The mail was, apparently, send by that very email and is, only in outlook, dated … Continue reading Email supposedly from the future mentioning fairly recent password
In BurpSuite, you can brute force a password of any length and any character set (in my case, alphanumeric passwords between 1 to 7 characters long). How does one do it in OWASP ZAP, without actually generating a password list containing a… Continue reading Brute force alphanumeric passwords between 1 to 7 characters long with ZAP
Oops:
Instead of telling you when it’s safe to cross the street, the walk signs in Crystal City, VA are just repeating ‘CHANGE PASSWORD.’ Something’s gone terribly wrong here.
Continue reading “Change Password”
When a user changes password, I’d like to implement a simple check that prevents them from reusing the same password. If the new password matches the old password, reject with an error.
Sounds easy, but at the same time I’m aware that hash… Continue reading Hash collisions in password history
Findings from a Bulletproof report highlight the issue posed by poor security hygiene as automated attacks remain a high security threat to businesses. The research gathered throughout 2021, showed that 70% of total web activity is currently bot traffi… Continue reading Attackers using default credentials to target businesses, Raspberry Pi and Linux top targets
Scenario: a user enters his password incorrectly x times, so his account is locked for y minutes.
Should I revoke all his refresh tokens?
Problems:
user is logged out of all devices, not just the one he’s on currently (where he entered th… Continue reading Revoke all refresh tokens when account locked?
I recently had to change my password on a linux server (RedHat). It wouldn’t let me use my password of choice because it was "too similar" to my previous password. Is this really reasonable? My previous password was 13 charact… Continue reading Rationale behind disallowing the use of similar passwords?
When adding an account on a mail client, the SSL/TLS is usually turned off and the encryption method is ‘none’ (see Outlook example below).
Is the password safely sent through the internet when authenticating using the default settings?
I… Continue reading Is authentication through mail clients safe when encryption is off?
I published the following diary on isc.sans.edu: “Credentials Leaks on VirusTotal“: A few weeks ago, researchers published some information about stolen credentials that were posted on Virustotal. I’m keeping an eye on VT for my customers and searching for data related to them. For example, I looking for their domain name(s)
The post [SANS ISC] Credentials Leaks on VirusTotal appeared first on /dev/random.