Hey, I am considering using the following rules for a casual website. 8-20 chars long valid chars include letters, digits, and symbols case sensitive that's all. My question is, beside white space, is there other symbol that I should consider as "illegal"? Please keep in mind that it is a casual website so I don't need any password...
I have a PHP file i made that basically give me passwords to all my users. I want to be the only one able to view the contents and see the page. Whats the best way doing it? Password protection? Requiring a special cookie that only I have? Give me some ideas.. ...
I was just reading this post http://stackoverflow.com/questions/549/the-definitive-guide-to-website-authentication-beta#477585 on Preventing Rapid-Fire Login Attempts. Best practice #1: A short time delay that increases with the number of failed attempts, like: 1 failed attempt = no delay 2 failed attempts = 2 sec delay 3 failed ...
I've seen some password revealing software. Most of them has a shooting pointer like pointer and you can just point the password text box and the software is revealing the password. But still the protected software and the revealer software are not interconnected. They are separate processes running on the same host. My queries are, ...
according to McAfee “Aurora” Exploit In Google Attack Now Public, and the exploit code referred should be here, any one can give a more detailed explanation how it works? ...
As part of a PCI-DSS audit we are looking into our improving our coding standards in the area of security, with a view to ensuring that all developers understand the importance of this area. How do you approach this topic within your organisation? As an aside we are writing public-facing web apps in .NET 3.5 that accept payment by cred...
I was given advice that I am suspicious about so I'm looking for support here to go back and challenge the advice. I was advised to use Diffie Helman to get both sides to agree on a secret key, use the secret key to generate an AES key, and then use AES to encrypt/decrypt passwords that are being transmitted. Pretty much like the samp...
I read the question here in SO "jQuery Linking vs. Download" and I somehow don't get it. What happens if you host a page on http://yourserver.com, but load jQuery library from http://ajax.googleapis.com and then use the functions defined in jQuery script? Does "same origin policy" not count in this case? I mean, can you make AJAX calls...
I have a site in development with several web services (ASMX) that post important data to my database. When I navigate to the ASMX file in my browser, I can fill in the form with the parameters and post to the DB. If someone finds the URL to my WS, they can severely alter my database. I want to prevent people from being able to post to m...
I am applying to graduate schools for a M.S. in computer security, information assurance, cybersecurity, etc. (they all have different titles). I figure a good place to find schools for this is on the NSA's Centers for Academic Excellence list. I was wondering if anyone out there has any experience at these or any other programs, an...
hi, I'm about to launch a forms auth membership site that will include forms that both international and American users can use to update their profile info and submit requests for info on products (but no actual e-commerce). I'm using asp.net validation controls on the text inputs and I had it pretty tightly filtered for chars using re...
MS Query, when connecting to SQL Server through an ODBC Data Source, uses the system procedure "sp_tables" to retrieve a listing of tables in the database. The source for sp_tables can be viewed but not altered. The problem with this procedure is that it will not return a table name for which the connected user has permissions to acces...
Hi, I'm building my first Rail App and are beginning to setup my database. I have a simpel Users table containg name, e-mail (login), password and so on. The site lets the users bet each other (with monopoly money), so I need to add information about the users current winnings and other delicate matters to the database. Question: Sho...
Hello, I am programming a Certification Authority in java for a uni class, now I don't know what's the best option for the serial number of the Certificate. Simple static counter from 0 to veryBigNumber some huge BigInt random number Is there any good reason for choosing one over the other... or none of them?? thanks, ...
I want to write a very simple implementation of an onion router in Java (but including chaum mixes) - a lot of the public / private key encryption seems pretty straightforward, but struggling to understand how the last router would know that the final onionskin has been 'peeled'. I was thinking of having some sort of checksum also encod...
I have written an ASP.NET MVC application that allows the user to specify their own custom domain. I have IIS configured to send all requests to the default website so I do not need to use host headers. Everything works perfectly. The only problem is SSL. I know this question has been asked multiple times in many forums but the answers ...
Hi everyone, This might be a pretty basic question, but how do you add new users to the aspnet_Users table in a ASP.Net 2.0 app? I know I could do it using a SQL script, and being mindful of the associations, but I know I've seen a graphical interface for it... I can't find code for adding new users in the web app I'm maintaining (it ...
I am interested in understanding the internals of JavaScript. I've tried to read the source for SpiderMonkey and Rhino but it's quite complex to wrap my head around. The reason I ask is: why does something like (![]+[])[+!![]+[]] produce "a" (Å=[],[µ=!Å+Å][µ[È=++Å+Å+Å]+({}+Å)[Ç=!!Å+µ,ª=Ç[Å]+Ç[+!Å],Å]+ª])()[µ[Å]+µ[Å+Å]+Ç[È]+ª](Å) pr...
Edit/clarification: I mean password generation as in "deterministically generate passwords for your own use (e.g. to sign up for web services), based on some secret and on some site-specific data" I take the MD5 digest of the concatenation of my master password and a (non-secret) site-specific string. Then I take the first 16 digits of ...
I have a database that will be hosted by a third party. I need to encrypt strings in certain columns, but I do not want to loose the ability to query over the encrypted columns. I have limited control over the SQL instance (I have control over the database I own, but not to any administrative functions.) I realize that I can use a .ne...