Since there is so much confusion about functionality of standard service accounts, I’ll try to give a quick run down. First the actual accounts: LocalService account (preferred) A limited service account that is very similar to Network Service and meant to run standard least-privileged services. However, unlike Network Service it accesses the network as an … Read more
Several people misread this as a question about how to store passwords in a database. That is wrong. It is about how to store the password that lets you get to the database. The usual solution is to move the password out of source-code into a configuration file. Then leave administration and securing that configuration … Read more
Principles to keep in mind if you want your applications to be secure: Never trust any input! Validate input from all untrusted sources – use whitelists not blacklists Plan for security from the start – it’s not something you can bolt on at the end Keep it simple – complexity increases the likelihood of security … Read more
Yes. The querystring is also encrypted with SSL. Nevertheless, as this article shows, it isn’t a good idea to put sensitive information in the URL. For example: URLs are stored in web server logs – typically the whole URL of each request is stored in a server log. This means that any sensitive data in … Read more
The current cookie specification is RFC 6265, which replaces RFC 2109 and RFC 2965 (both RFCs are now marked as “Historic”) and formalizes the syntax for real-world usages of cookies. It clearly states: Introduction … For historical reasons, cookies contain a number of security and privacy infelicities. For example, a server can indicate that a … Read more
I’m not sure if it’ll work in all browsers but you should try setting autocomplete=”off” on the form. <form id=”loginForm” action=”login.cgi” method=”post” autocomplete=”off”> The easiest and simplest way to disable Form and Password storage prompts and prevent form data from being cached in session history is to use the autocomplete form element attribute with value … Read more
With SNI If the remote server is using SNI (that is, sharing multiple SSL hosts on a single IP address) you will need to send the correct hostname in order to get the right certificate. openssl s_client -showcerts -servername www.example.com -connect www.example.com:443 </dev/null Without SNI If the remote server is not using SNI, then you … Read more
JWTs can be either signed, encrypted or both. If a token is signed, but not encrypted, everyone can read its contents, but when you don’t know the private key, you can’t change it. Otherwise, the receiver will notice that the signature won’t match anymore. Answer to your comment: I’m not sure if I understand your … Read more
You are correct that storing the password in a plain-text field is a horrible idea. However, as far as location goes, for most of the cases you’re going to encounter (and I honestly can’t think of any counter-examples) storing the representation of a password in the database is the proper thing to do. By representation … Read more
Well, you could look it up in Wikipedia… But since you want an explanation, I’ll do my best here: Hash Functions They provide a mapping between an arbitrary length input, and a (usually) fixed length (or smaller length) output. It can be anything from a simple crc32, to a full blown cryptographic hash function such … Read more