Publicly viewable salt security
If the password salt for keys are viewable does it not improve security compared to without salt? Would it be better just to not use the salt and improve some performance? ...
security
Double hashing security
My first question is, I've heard that hashing the string 2 times (e.g. sha1(sha1(password)) ), because the second hash has a fixed length, is it true?? My the second question is, which is safer? (var1 and var2 are 2 strings): sha1(var1 + sha1(var2)) sha1(var1 + var2) If it is the 1st one, is it worth the performance cost? ...
What's the advantage of bcrypt over scrypt?
I'm looking at ways to securely store passwords. Some people claim that scrypt is "better" than bcrypt, and so far I've seen nobody who claims vice versa or that scrypt is insecure, though some call bcrypt "more reputable". What's the advantage of scrypt over bcrypt? According to the scrypt website, "the cost of a hardware brute-force a...
Keeping passwords safe
Situation 1 - Connecting the server to the database: Its always said that passwords should not be stored in plain text, however to connect to the mysql database requires the password, in plain text it seems... I'm guessing the best solution to this is to store it in an encrypted form, decrypt it in my app as needed and then erase it from...
How to handle passwords for i.e. databases or ftp servers in an application
Possible Duplicate: Ways around putting a password in code If you create an application that for example connects to a database or an ftp server it needs a username and a password. How do you recommend storing this? First and easiest option is of course as plain text in the application, but then I guess it would be quite clear...
X509 guide/tutorial in C#
Can anyone point me to a good introductory materials on X509 certificates with examples in C#. ...
retreive certificate using subject id; USER Vs Machine
Hello, I have installed a certificate with Subject "UW008" in the MY store (CERT_SYSTEM_STORE_CURRENT_USER). When i run my test application, logged in as an Administrator, my test application is able to find the certificate with the corresponding subject ID. When i tried to access the same application from across a network(with same ad...
Using the QueryString as a debug switch?!
Hi, I was refactoring some code in a web application today and came across something like this in the base class for all webpages: if (Request.QueryString["IgnoreValidation"] != null) { if (Request.QueryString["IgnoreValidation"].ToUpper() == "TRUE") { SessionData.IgnoreValidation = true; } } To me, this appears t...
Are there any known standards or security flaws in password-protected ZIP files?
Just like the title says. I was hoping someone could direct me to documents/resources that show how to encrypt a zip file such that most (if not all) 3rd-party apps can open it. I'm more interested in the security aspect rather than how to do it - any knowledge is welcome. This is to casually protect files on my work computer (and net...
How easy is it to crack a cookie created by CookieStore from a Rails app?
I have read a bunch of stuff saying that one con of using the cookie store in a Rails app is that the client can see the cookie data. However, I looked at the cookie data and it is encrypted. Is it relatively easy to decrypt the cookie data? ...
Files in a windows based web app
I have a web application running on IIS. Instead of using a database it reads and writes to a couple of XML files. I currently store these files in the Application Data folder in windows. This folder (\Documents and Settings\All Users\Application Data in win 2003) however requires at least "Power Users" privileges to write! Reads are O...
How to restrict a Flex application to only run from my website?
Hello, is it possible to make a Flex-application to only run from my domain? So a user can't copy the .swf and start it locally. ...
How do I generate a common hash from multiple passwords?
I've got an app that generates a hash off of a user password, which I then use to encrypt data with. I want to extend this to the case where any 2 out of 5 users need to authenticate the app before it has enough data to generate that hash. The problem I've got is I need to generate the exact same hash no matter which 2 of the 5 users au...
Editing my own user page in Grails
I'm building a web application with Grails, using the Acegi/Spring Security plugin. I want to only show the 'Edit' link if the page is showing the details of the currently logged in user. For example, the logged in user with id = 44 is viewing the page 'localhost:8080/app/user/show/44' I've tried the following but it's not working. A...
ASP.NET Serving Word Documents
I have an application that has a subfolder called "Docs" (actually a virtual directory) where I keep all of my word documents. I don't want these documents to be accessed by any unauthenticated users but for some reason regardless of what I put in my root web.config or my "Docs" web.config IIS still serves the word up to any user. ...
Windows Folder Security when sharing through a website
I'm working on an application that serves up files (e-commerce downloadable content.) The content is stored on a windows folder share on the server and the application then provides access to that content when the uses requests it. Essentially there is a DownloadFile.aspx?fileId=XXXX Anyway I'm having issues getting the security right o...
Creating a "Unsafe" File Format - OK on Local File System, but Prompt from Browser
What is the correct way to create a file extension (and maybe a MIME type) that will run from your local file system without prompt, but if you browsed to that file through Internet Explorer or Firefox you would get prompted (warned)? What is the exact mechanism in the windows registry that controls this? ...
PHP Security when Passing MySQL Unique ID via Get
Lets say I have a website with links to various books on my main page. <a href='books.php?id=1'>Book 1</a> <a href='books.php?id=2'>Book 2</a> <a href='books.php?id=4'>Book 3</a> Books 1-3 are in my system, however id=3 is apart of another catelog that I'm not showing or authorizing through this section of the site. So if a user click...
WCF Security and what to use in this situation.....
I have a client/server application that has many client machines and one service on a server..... On the server side I will be using a Windows Service to host my WCF service. The service will be passing data across the internet to the client machines. I figure I will be using wsHttpBinding with message level security, which requires a...
Why do so many sites disallow the use of non-alphanumeric characters in passwords?
When going through registration, a lot of sites will disallow the use of symbols in passwords. This drives me up the wall from a usability perspective since I include multiple symbols in all my passwords, and as a programmer that deals with web authentication from time to time, I can't figure out why it wouldn't be allowed. Am I missing ...