Hashing a password once is insecure No, multiple hashes are not less secure; they are an essential part of secure password use. Iterating the hash increases the time it takes for an attacker to try each password in their list of candidates. You can easily increase the time it takes to attack a password from … Read more
The Apache docs recommend against using a rewrite: To redirect http URLs to https, do the following: <VirtualHost *:80> ServerName www.example.com Redirect / https://www.example.com/ </VirtualHost> <VirtualHost *:443> ServerName www.example.com # … SSL configuration goes here </VirtualHost> This snippet should go into main server configuration file, not into .htaccess as asked in the question. This article … Read more
This question has been addressed, in a slightly different form, at length, here: RESTful Authentication But this addresses it from the server-side. Let’s look at this from the client-side. Before we do that, though, there’s an important prelude: Javascript Crypto is Hopeless Matasano’s article on this is famous, but the lessons contained therein are pretty … Read more
For old-school CD keys, it was just a matter of making up an algorithm for which CD keys (which could be any string) are easy to generate and easy to verify, but the ratio of valid-CD-keys to invalid-CD-keys is so small that randomly guessing CD keys is unlikely to get you a valid one. INCORRECT … Read more
From early days of online stores: Getting a 90% discount by entering .1 in the quantity field of the shopping cart. The software properly calculated the total cost as .1 * cost, and the human packing the order simply glossed over the odd “.” in front of the quantity to pack 🙂
Principles to keep in mind if you want your applications to be secure: Never trust any input! Validate input from all untrusted sources – use whitelists not blacklists Plan for security from the start – it’s not something you can bolt on at the end Keep it simple – complexity increases the likelihood of security … Read more
Yes. The querystring is also encrypted with SSL. Nevertheless, as this article shows, it isn’t a good idea to put sensitive information in the URL. For example: URLs are stored in web server logs – typically the whole URL of each request is stored in a server log. This means that any sensitive data in … Read more
The current cookie specification is RFC 6265, which replaces RFC 2109 and RFC 2965 (both RFCs are now marked as “Historic”) and formalizes the syntax for real-world usages of cookies. It clearly states: Introduction … For historical reasons, cookies contain a number of security and privacy infelicities. For example, a server can indicate that a … Read more
I’m not sure if it’ll work in all browsers but you should try setting autocomplete=”off” on the form. <form id=”loginForm” action=”login.cgi” method=”post” autocomplete=”off”> The easiest and simplest way to disable Form and Password storage prompts and prevent form data from being cached in session history is to use the autocomplete form element attribute with value … Read more
JWTs can be either signed, encrypted or both. If a token is signed, but not encrypted, everyone can read its contents, but when you don’t know the private key, you can’t change it. Otherwise, the receiver will notice that the signature won’t match anymore. Answer to your comment: I’m not sure if I understand your … Read more