How do I create a self-signed certificate for code signing on Windows?

Updated Answer If you are using the following Windows versions or later: Windows Server 2012, Windows Server 2012 R2, or Windows 8.1 then MakeCert is now deprecated, and Microsoft recommends using the PowerShell Cmdlet New-SelfSignedCertificate. If you’re using an older version such as Windows 7, you’ll need to stick with MakeCert or another solution. Some … Read more

Where do you store your salt strings?

The point of rainbow tables is that they’re created in advance and distributed en masse to save calculation time for others – it takes just as long to generate rainbow tables on the fly as it would to just crack the password+salt combination directly (since effectively what’s being done when generating rainbow tables is pre-running … Read more

Is either GET or POST more secure than the other?

The GET request is marginally less secure than the POST request. Neither offers true “security” by itself; using POST requests will not magically make your website secure against malicious attacks by a noticeable amount. However, using GET requests can make an otherwise secure application insecure. The mantra that you “must not use GET requests to … Read more

Default SecurityProtocol in .NET 4.5

Some of the those leaving comments on other answers have noted that setting System.Net.ServicePointManager.SecurityProtocol to specific values means that your app won’t be able to take advantage of future TLS versions that may become the default values in future updates to .NET. Instead of specifying a fixed list of protocols, do the following: For .NET … Read more

What are all the user accounts for IIS/ASP.NET and how do they differ?

This is a very good question and sadly many developers don’t ask enough questions about IIS/ASP.NET security in the context of being a web developer and setting up IIS. So here goes…. To cover the identities listed: IIS_IUSRS: This is analogous to the old IIS6 IIS_WPG group. It’s a built-in group with it’s security configured … Read more

Is “double hashing” a password less secure than just hashing it once?

Hashing a password once is insecure No, multiple hashes are not less secure; they are an essential part of secure password use. Iterating the hash increases the time it takes for an attacker to try each password in their list of candidates. You can easily increase the time it takes to attack a password from … Read more

How to redirect all HTTP requests to HTTPS using .htaccess rules?

The Apache docs recommend against using a rewrite: To redirect http URLs to https, do the following: <VirtualHost *:80> ServerName www.example.com Redirect / https://www.example.com/ </VirtualHost> <VirtualHost *:443> ServerName www.example.com # … SSL configuration goes here </VirtualHost> This snippet should go into main server configuration file, not into .htaccess as asked in the question. This article … Read more

Hata!: SQLSTATE[HY000] [1045] Access denied for user 'divattrend_liink'@'localhost' (using password: YES)