Collaborate Disseminate
I was reading the security advice given by the Swedish Bankers’ Association. They included these two pieces of advice (my translation), that I assume is to teach the user to check for SSL/TLS and protect from SSL-strip:
I am using a form token to prevent CSRF attacks. Those tokens are stored and tied to a user’s session. Now I want to refresh the token only every N minutes or hours so that the user’s don’t experience any usability issues lik… Continue reading What’s a good time period before refreshing CSRF token of the user session?
Web application may encrypt all user data at client side to convince users that it can’t decrypt them.
When user enters password, it’s used to encrypt data in browser and then it’s sent to server in encrypted state. Server d… Continue reading Is client side encryption really better than server side?
How accurate is this XKCD comic from August 10, 2011?
I’ve always been an advocate of long rather than complex passwords, but most security people (at least the ones that I’ve talked to) are against me on that one. However, XKCD’s analy… Continue reading XKCD #936: Short complex password, or long dictionary passphrase?