Collaborate Disseminate
Bitdefender released a report which reveals how consumers across various age groups and socio-demographic backgrounds behave on popular platforms, applications and devices, affecting cybersecurity risk. Findings show basic practices for securing data, … Continue reading Everyday cybersecurity practices inadequate among many online consumers
I’m trying to create application-layer encryption for user data in my database, using password derivation function. But there is a problem, that there must be an admin user, who can access all user’s encryption keys, for password reset functionality and some other things. I don’t like the fact that all encryption system security can be broken with just one admin password. I’ve asked for an advice here How can I improve the application administrator’s encryption keys security inside database
I was advised to compile an admin encryption key not from a password but from another source (admin computer system information, for example), so it can’t be brute-forced, and then pass it to the database server.
It is a good approach, however, this complicates admin mobility and system recovery in an event of key loss, and these requirements are mandatory to accomplish.
So, I come up with this idea:
At first glance, I don’t see any great flaws with this approach, but I couldn’t find that someone has done anything similar before, so I want to ask you to help me to validate my vision.
I am interested in the issue of establishing the security of data of users of a web application in the event of a database leak.
It was decided to use the following encryption chain:
User data is encrypted with a user symmetric key (AES)
… Continue reading How can I improve the application administrator’s encryption keys security inside database
First of all, yes, I know it’s better to change the password anyways, but I want a figure on the damage done.
What kind of hashing technique was used by Twitch for saving the passwords?
How long do the passwords need to be bruteforced on a… Continue reading Twitch leak – what kind of hashing did they use?
We regularly use 10000 iterations of SHA256 for hashing passwords.
If we want to have similar security, how many rounds/work factor should we use when hashing passwords with bcrypt?
Continue reading How many rounds of Bcrypt to use for security equivalent to SHA256?
How can the operator of Github detect whether or not my password applied on their website is commonly used by me on other websites?
I have received a warning message from them forcing me to change my password. The reasoning for that is as … Continue reading Github knows where I have used my password
Environment
I am creating a python application which writes to SQL.
It is compiled into an .exe and distributed to other computers in the business.
(Edit: The SQL server is hosted by our business, within our intranet. The password is also … Continue reading How do I secure SQL passwords when distributing executables?
The National Cybersecurity Alliance and CybSafe announced the release of a report which polled 2,000 individuals across the U.S. and UK. The report examined key cybersecurity trends, attitudes, and behaviors ahead of Cybersecurity Awareness Month this … Continue reading Cybersecurity best practices lagging, despite people being aware of the risks
We have our web app / REST API getting tested by potential customer. In the report they came up with this issue:
Sensitive data like user credentials on login page, password reset,
change password etc. are sent in clear text format. If se… Continue reading OWASP Pentest – "Sensitive data sent in clear text" [closed]
and this is the text
SAMSAMFASFABSFNAF UANSFUNASFMN ASDASDASDAS SADFDS SF SD DSADASDASDASDASDSADASDASDISFASIUNFUAUSFNASFYGBNFDLBDF; B
IBFDFL, BDLF, BJNS BS UNBUSF N BSNFB SUFNBUSBNSFNBN USFNBUSFNB RSFNBUNFSBUNSFBNSFKBMKSFNBSFJ BJNFSBJNSFJB… Continue reading I Want a Decrypt a Text But i Dont Have Key Or Anything [closed]