I am a programmer at a financial institute. I have recently been told to enforce that all new user id's to have at least one alpha and one numeric. I immediately thought that this was a horrible idea and I would rather not implement it, as I believe this is an anti-feature and of poor user experience. The problem is that I don't have ...
If I go to www.paypal.com, Firefox displays a huge icon in the location bar. Is it possible to get my web site to do this without paying $2700 to Verisign? Where is the best place to buy SSL certificates and not break the bank? ...
I can understand that imposing a minimum length on passwords makes a lot of sense (to save users from themselves), but my bank has a requirement that passwords are between 6 and 8 characters long, and I started wondering... Wouldn't this just make it easier for brute force attacks? (Bad) Does this imply that my password is being stored...
My question is pretty straightforward: You are an executable file that outputs "Access granted" or "Access denied" and evil persons try to understand your algorithm or patch your innards in order to make you say "Access granted" all the time. After this introduction, you might be heavily wondering what I am doing. Is he going to crack...
Considering the following scenario : - create a SharePoint site collection - create a new security permission level "Test", with "Manage permissions" checked. - create a new Group, with "Contribute", and "Test" checked for its permissions. Now, if a member of this group goes to "_layouts/user.aspx", he can modify his group permissions, ...
Hi I was wondering are there any security concerns with adding crossdomain.xml to the root of an application server? Can it be added to nay other parts of the server and are you aware of any work arounds that dont require the server to have this file in place? Thanks Damien ...
How do you enumerate the fields of a certificate help in a store. Specifically, I am trying to enumerate the fields of personal certificates issued to the logged on user. ...
We recently had a security audit and it exposed several weaknesses in the systems that are in place here. One of the tasks that resulted from it is that we need to update our partner credentials system make it more secure. The "old" way of doing things was to generate a (bad) password, give it to the partner with an ID and then they ...
From Wired magazine: ...the Palin hack didn't require any real skill. Instead, the hacker simply reset Palin's password using her birthdate, ZIP code and information about where she met her spouse -- the security question on her Yahoo account, which was answered (Wasilla High) by a simple Google search. We cannot ...
We all know that security questions suck, but still they're often used as the authentication of last resort to reset forgotten passwords. What are some secure and unsecure ones you've used or seen? Use community owned answers for voting. Up-vote secure questions. Down-vote unsecure questions. Explain in comments. ...
My last couple of projects have involved websites that sell a product/service and require a 'checkout' process in which users put in their credit card information and such. Obviously we got SSL certificates for the security of it plus giving peace of mind to the customers. I am, however, a little clueless as to the subtleties of it, and ...
I am looking for best practices for detecting and preventing DOS in the service implementation (not external network monitoring). The service handles queries for user, group and attribute information. What is your favorite source of information on dealing with DOS? ...
How would I go about writing some code to allow access to a Java class in my webapp from the command line. E.g. I have a java class with command line interface, that can runs code in the context of the webapp, with access to the DB etc. I want to log on the machine hosting my WARred app in tomcat and be able to interact with it Where ...
This is a shameless information gathering exercise for my own book. One of the talks I give in the community is an introduction to web site vulnerabilities. Usually during the talk I can see at least two members of the audience go very pale; and this is basic stuff, Cross Site Scripting, SQL Injection, Information Leakage, Cross Site Fo...
I am curious about how do you protect your software against cracking, hacking etc. Do you employ some kind of serial number check? Hardware keys? Do you use any third-party solutions? How do you go about solving licensing issues? (e.g. managing floating licenses) EDIT: I'm not talking any open source, but strictly commercial softwar...
I'm new to developing things on the web. So far, I'm spending a lot of time (50% or so) to try and prevent bad people from putting things like sql injection into my input forms and validating it server side. Is this normal? ...
I recently bought and read a box set of books on security (Building Secure Software: How to Avoid Security Problems the Right Way, Exploiting Software: How to Break Code, and Software Security: Building Security In). Although I think that the contents of these books will be useful for years to come, the authors do acknowledge that the wo...
Why does Kerberos authentication use T125 protocol? I believe Kerberos authentication behaves this way: Client asks for a ticket to the Kerberos authority The Kerberos authority provides a Ticket to the client The Client tries to authenticate towards a Server and sends to the server this Ticket. The Server verifies the Ticket is OK wit...
What are some popular spam prevention methods besides CAPTCHA? ...
Suppose that a group wants to encrypt some information, then share the encryption key among the group members in a way that requires the consensus of the group to decrypt the information. I'm interested in a variety of scenarios where the breadth of consensus ranges from unanimity to an absolute majority. A useful technique can apply to ...