Remember, as the defender, you must win 100% of the time. A hacker only needs to win once.

Security Base Info

  1. 1 Is my developer's home-brew password security right or wrong, and why? 19
  2. 2 Where could I submit my algorithm? 5
  3. 3 Apache Server Hardening 11
  4. 4 Everything you ever wanted to know about building a secure password reset feature 5
  5. 5 Certificate based authentication vs Username and Password authentication 7

Difference between encrypting and hashing

An encrypted password is like anything else which has been encrypted: it has been rendered unreadable through a process which used an extra piece of secret data (the key) and which can be reversed with knowledge of the same key (or of a distinct, mathematically related key, in the case of asymmetric encryption).

For password hashing, on the other hand, there is no key. The hashing process is like a meat grinder: there is no key, everybody can operate it, but there is no way to get your cow back in full moo-ing state. Whereas encryption would be akin to locking the cow in a stable.

Blogs

  1. 1 Stack Exchange Security Blog 8
  2. 2 The Hacker News — leading source of Information 3
  3. 3 Defuse Security Research and Development 6
  4. 4 TechFoxy 5
  5. 5 Ekransystem 0
  6. 6 Apriorit Blog 0

Hall of Shame

  1. 1 Password Policy Hall of SHAME 25
  2. 2 SQLi Hall-of-Shame 11
  3. 3 Electronic Arts Hates Strong Passwords 3
  4. 4 CRN 3

About Password Hashing

  1. 1 Why passwords should be hashed 10
  2. 2 About Secure Password Hashing 5
  3. 3 How to securely hash passwords? 2
  4. 4 Pre-hash password before applying bcrypt to avoid restricting password length 1
  5. 5 Why are hash functions one way? If I know the algorithm, why can't I calculate the input from it? 2
  6. 6 How to store salt? 2
  7. 7 Password Hashing add salt + pepper or is salt enough? 4
  8. 8 Salt Generation and open source software 3

Latest Info

  1. 1 NIST temporarily closed — will that have a negative impact the future of cryptography? 4

Understanding Encryption

  1. 1 HTG Explains: What is Encryption and How Does It Work? 3
  2. 2 What is the lowest level of mathematics required in order to understand how encryption algorithms work? 1
  3. 3 Encryption Basics: It's Not a Mystical Science 1
  4. 4 HowStuffWorks "Security Encryption Systems" 1
  5. 5 Why AES is not used for secure hashing, instead of SHA-x 2

Using The Algorithms

  1. 1 Do any security experts recommend bcrypt for password storage? 5
  2. 2 Would it make sense to use Bcrypt and PBKDF2 together? 1
  3. 3 Recommended # of iterations when using PKBDF2-SHA256? 2
  4. 4 Password Encryption: PBKDF2 (using sha512 x 1000) vs Bcrypt 3
  5. 5 What password-based encryption to use with standard Java 6? 2

Security Terms

  1. 1 Cross-Site Request Forgery Guide: Learn All About CSRF Attacks and CSRF Protection 5
  2. 2 Cross-site scripting 4
  3. 3 HTTP referer 4
  4. 4 Kerckhoffs's principle 5
  5. 5 Rainbow table 4
  6. 6 Cryptographic hash function 1
  7. 7 Moore's law 1
  8. 8 Birthday Paradox 2

How?

  1. 1 How does changing your password every 90 days increase security? 5
  2. 2 How is it possible that people observing an HTTPS connection being established wouldn't know how to decrypt it? 2
  3. 3 How to implement web application self password reset mechanisms properly? 2
  4. 4 How is “hacking” even possible if I “defend” properly? 1
  5. 5 How to write an email regarding IT Security that will be read, and not ignored by the end user? 0
  6. 6 Everything you ever wanted to know about building a secure password reset feature 0
  7. 7 How can I avoid my password being harvested by key loggers from internet cafes? 2
  8. 8 How reliable is a password strength checker? 0

Other Interesting Questions

  1. 1 What are the pros and cons of site wide SSL (https)? 4
  2. 2 Information Security Stack Exchange 3
  3. 3 What are rainbow tables and how are they used? 0
  4. 4 Is sending password to user email secure? 0
  5. 5 Are passwords stored in memory safe? 1
  6. 6 SQL injection — but why isn't escape quotes safe anymore? 1
  7. 7 Passwords Being Sent in Clear Text Due to Users' Mistake in Typing it in the Username Field 1
  8. 8 Can webcams be turned on without the indicator light? 3

Recommended Algorithms

  1. 1 PBKDF2 3
  2. 2 bcrypt 3
  3. 3 The scrypt key derivation function and encryption utility 2
  4. 4 Keccak Team 1
  5. 5 WHIRLPOOL 0

Popular Attacks

  1. 1 Session fixation 7
  2. 2 Session fixation Software Attack 7
  3. 3 Dictionary attack 4
  4. 4 SQL injection 3
  5. 5 Brute Force Attack Software Attack 2
  6. 6 Cross Site Scripting (XSS) Software Attack 4
  7. 7 Cross Site Request Forgery (CSRF) 3
  8. 8 Denial of Service Software Attack 3

General Articles

  1. 1 Cookie Monster: The Unnoticed Threat Of Open Wi-Fi 8
  2. 2 How To Safely Store A Password 2
  3. 3 USENIX Technical Program 0
  4. 4 Chocolate the key to uncovering PC passwords 1
  5. 5 Security Attacks 4
  6. 6 25-GPU cluster cracks every standard Windows password in under 6 hours 1
  7. 7 Practical Cryptography and the Birthday Attack 0
  8. 8 Would RSA make sense if we used no computers? 0

Why?

  1. 1 Why not use larger cipher keys? 1
  2. 2 Why is AES considered to be secure? 2
  3. 3 Altering passwords before storing 0
  4. 4 CTRL+ALT+DEL Login – Rationale behind it? 2
  5. 5 Why do websites show “Username and/or Password Invalid” instead of informing the user which one was wrong? 2
  6. 6 Why do sites implement locking after 3 failed password attempts? 2
  7. 7 Does disabling right click have any impact on security? 0
  8. 8 Why not allow spaces in a password? 1

Check Code

  1. 1 Confidently secure apps you build and manage with Veracode 3

Javascript encryption - Don't

  1. 1 MEGApwn 1
  2. 2 Javascript Cryptography Considered Harmful 4
  3. 3 If you must : Stanford Javascript Crypto Library 2
  4. 4 Long-term storage for Google Code Project Hosting. 0
  5. 5 Domain geparkt 0
  6. 6 JavaScript Encryption and Decryption 0

Community

  1. 1 Information Security Stack Exchange 2
  2. 2 Cryptography Stack Exchange 0
  3. 3 Reddit crypto 1
  4. 4 Reddit Codes and ciphers 0
  5. 5 Reddit Web Security 0
  6. 6 Reddit Computer Security 1
  7. 7 Wilders Security Forums 0

Points of view

  1. 1 Unlimited Novelty 2
  2. 2 Are NIST's changes to Keccak/SHA-3 problematic? 0
  3. 3 Comparison of DES, Triple DES, AES, blowfish encryption for data 0

Spring Security

  1. 1 Control the Session with Spring Security 4
  2. 2 Ten Things You Can Do With Spring Security 6
  3. 3 Spring Security 3.1: Multiple http, Stateless, Debug, Crypto, HttpOnly, Custom form-login Params 5

Tools

  1. 1 Top Five Hacker Tools Every CISO Should Understand 15
  2. 2 WinPcap 4
  3. 3 Spector 360 2
  4. 4 Employee Monitoring Software 4
  5. 5 Cookie Cadger 7
  6. 6 Shamir's Secret Sharing Scheme - DEMO 2
  7. 7 See who's switched to SSL 1
  8. 8 Ekransystem 0

Difference between terms

  1. 1 Hash function 1
  2. 2 Cryptographic hash function 1
  3. 3 What is the difference between https://google.com and https://encrypted.google.com? 3

Documentation

  1. 1 A Future-Adaptable Password Scheme 2

Safely Erase Confidential Information

  1. 1 How to Destroy a CD or DVD 6
  2. 2 How do you destroy an old hard drive? 4
  3. 3 Secure hard drive disposal: How to erase confidential information 1
  4. 4 How can I reliably erase all information on a hard drive? 0

Java Implementations

  1. 1 Java simplified encryption 1
  2. 2 A free Java implementation of RFC 2898 / PKCS#5 PBKDF2 2
  3. 3 How to generate secure password hash : MD5, SHA, PBKDF2, BCrypt examples in Java 3
  4. 4 Implementation of Bcrypt algorithm in hardware 1
  5. 5 ImmediateCrypt - AES 256 2
  6. 6 Encryption and Decryption of Data using AES algorithm 5
  7. 7 AES 256 bits encrypter/decrypter 2

Migration

  1. 1 Changing the hashing function on a pre-existing database 0
  2. 2 How to migrate passwords to a different hashing method 0

Other Implementations

  1. 1 PBKDF2 Password Hashing for PHP 4
  2. 2 PBKDF2 Source Code (PKCS#5 v2.0) in C 2
  3. 3 CodePlex Archive 0
  4. 4 How to use bcrypt in PHP to safely store passwords 0

Glossary

  1. 1 Common types of application security attacks 2
  2. 2 Encryption algorithms 0

Bad Practices

  1. 1 The six dumbest ways to secure a wireless LAN 5
  2. 2 ircmaxell's blog: Seven Ways To Screw Up Bcrypt (php) 0

Configure Tomcat to use SSL

  1. 1 Setting Up SSL on Tomcat in 5 minutes 1
  2. 2 Apache Tomcat 6.0 (6.0.53) 1
  3. 3 SSL/TLS Configuration HOW-TO 3
  4. 4 How to bypass the built in security check in Java 2
Confirm
Follow page
Suggest
Message Dafinoiu Iulian
Report link