Collaborate Disseminate
This is just a thought experiment. I am trying to get an understanding on when we need password hashing functions and when they don’t bring any benefits (eg. to save on calculation cost).
I know that password-hashing-functions are to be us… Continue reading What is the best way to store the verifyer for posession of a high entropy secret?
First of all, I don’t want to reinvent the wheel, just want to build my own car. Non-product environment; only for fun and entertainment.
The goal is to use a single private (and never published) master password to create unique passwords … Continue reading DIY: password key derivation tool using PBKDF2 / HMAC [migrated]
After reading Why use random characters in passwords? it seems to me that one can solve the problem of how to remember a zillion passwords while each one remains secure by constructing each password from a high entropy root modified by the… Continue reading Construct a strong, (almost) unique password? [duplicate]
Yes, the transfer to the script via arguments is visible through ps -ax, /proc/<pid>/cmdline etc., BUT if someone has already gained access to your account from the outside (e.g. by hacking your browser) he will have no trouble looki… Continue reading Is it really safe to pass sensitive data to another script via stdin, compared to passing via arguments (Linux)
I’m doing Red Hat (RHEL 6.5) security settings.
If I set up the two files as shown below, is there no security effect on each other?
/etc/pam.d/system-auth
password requisite pam_cracklib.so retry=3 minlen=8 lcredit=-1 ucredit=-1 dcredit… Continue reading Red Hat Password Security Settings(/etc/pam.d/system-auth, /etc/login.defs)
I’m working with a dev agency for a web-based platform. Here is how they are planning to handle sign-ups on the platform as well as log-in and password reset.
Is it a good, robust and secure solution?
Registration:
We use library ‘crypto’ … Continue reading Sign-up/Login/Password reset – Is this a good and secure solution?
When I type a password somewhere, I see placeholders (black dots) in place of characters. But sometimes, there is also a toggle button to view the password like in a regular input field (typically an icon with the shape of an eye, or a tex… Continue reading Why do some password fields allow users to see what they type while others do not?
The password hashing competition, started in 2014 and Argon2 was the winner in 2015, listed evaluation criteria for the competition. There is an interesting one in the Functionality section;
Ability to transform an existing hash to a diff… Continue reading Password hashing algorithms that can transform an existing hash to a different cost setting without knowledge of the password
A while ago, I was tipped off that it’s a good idea to check if the password provided at registration is contained in any list of leaked passwords. I’m not in the information security field, but I really like to take aspects like this seri… Continue reading Is it a good idea to check if the password provided at registration is leaked on any lists? And then, prevent the user from using it?
The worst thing that organizations can do is take a hard stance with their cybersecurity efforts. The digital threat landscape is constantly evolving. If organizations settle into a viewpoint, they could elevate one source of risk into something unrealistic—all while missing other digital threats. This reflects just how much assumptions drive cybersecurity-related decisions. Forbes put […]
The post The 5 Most Hotly Contested Security Trends and Questions appeared first on Security Intelligence.
Continue reading The 5 Most Hotly Contested Security Trends and Questions