sechilds + security:password   28

“username or password incorrect” is bullshit – Hacker Noon
There’s a security best practice where sign ins aren’t supposed to say “password is incorrect”. The idea is if an attacker knows a username, he or she could concentrate on that account using SQL injection, brute forcing the password, phishing, and so on. Only the dumbest, laziest hacker is stopped by the “username or password is incorrect” sign in. Stripe has their form submission behind reCAPTCHA to prevent naive scripts attacking their sign up. To prevent attackers from knowing whether an account exists or not your signup must only take an email address and provide no feedback in the UI if the sign up succeeded or not.
security:computer  security:password 
december 2017 by sechilds
Passwords, Hashing, and Salt
>Over on twitter, some folks were chatting about the latest big security botch. A major service, called Evernote, had a security breach where a password file was stolen. Evernote has handled the situation quite well, being open about what happened, and explaining the risks.

>In their description of the breach, they said that the stolen passwords were "both hashed and salted". Apparently this sounds funny to people outside of software. (Amazing how jargon becomes so ingrained that I didn't even notice the fact that it could be interpreted in a funny way until it was pointed out to me!)

>Anyway, since discussion of this is going around, I thought I'd explain just what password hashing and salting means.
security:password  from instapaper
december 2013 by sechilds
Strong Password Generator
> Yes. This website generates new passwords here in your browser, using JavaScript. This website does not send new passwords across the internet.
javascript  security:password 
october 2013 by sechilds
Why passwords have never been weaker—and crackers have never been stronger
In late 2010, Sean Brooks received three e-mails over a span of 30 hours warning that his accounts on LinkedIn,, and other popular websites were at risk. He was tempted to dismiss them as hoaxes—until he noticed they included specifics that weren't typical of mass-produced phishing scams. The e-mails said that his login credentials for various Gawker websites had been exposed by hackers who rooted the sites' servers, then bragged about it online; if Brooks used the same e-mail and password for other accounts, they would be compromised too.

The warnings Brooks and millions of other people received that December weren't fabrications. Within hours of anonymous hackers penetrating Gawker servers and exposing cryptographically protected passwords for 1.3 million of its users, botnets were cracking the passwords and using them to commandeer Twitter accounts and send spam. Over the next few days, the sites advising or requiring their users to change passwords expanded to include Twitter, Amazon, and Yahoo.

"The danger of weak password habits is becoming increasingly well-recognized," said Brooks, who at the time blogged about the warnings as the Program Associate for the Center for Democracy and Technology. The warnings, he told me, "show [that] these companies understand how a security breach outside their systems can create a vulnerability within their networks."

The ancient art of password cracking has advanced further in the past five years than it did in the previous several decades combined. At the same time, the dangerous practice of password reuse has surged. The result: security provided by the average password in 2012 has never been weaker.
security:computer  security:internet  security:password  from instapaper
august 2012 by sechilds
janlelis/pws · GitHub
pws is a command-line password safe/manager written in Ruby.
ruby  security:computer  security:password 
june 2012 by sechilds
Good to Know – Google
Good to know: Practical guidance on safe passwords, keeping online accounts secure & more on a new site
security  security:password  from twitter_favs
october 2011 by sechilds
Pinboard Status
Status update: Please change your password if you ever connected your Instapaper and Pinboard accounts.
security:password  from twitter_favs
june 2011 by sechilds
Another day, another Dropbox security fail: login with any password? via
security  Dropbox  security:password  from twitter_favs
june 2011 by sechilds
Ben Reyes's posterous
If you do, anybody can have access to your account, your emails, passwords, calendar and all of your social network accounts. That might not seem like much but to a social engineer (Black Hat Security) it's a goldmine.
Old expired domains with Google Apps accounts that are picked up by new owners will…
security:password  from readability
may 2011 by sechilds
The Only Secure Password Is the One You Can’t Remember
The Only Secure Password Is the One You Can’t Remember (via Instapaper)
security  security:password  from instapaper
march 2011 by sechilds

Copy this bookmark: