Highest Voted Questions - IT Security Stack Exchange

234

votes

7 answers

Why would you not permit Q or Z in passwords?

Jetblue's password requirements specify that, among other stringent requirements: Cannot contain a Q or Z I can't fathom a logical reason for this, unless it were say, extremely common for the left side of keyboards to break, but then you wouldn't…

asked May 14 '14 at 00:56

Mark Mayo

1,913
3
13
10

234

votes

8 answers

What is the difference between SSL vs SSH? Which is more secure?

What is the difference between SSH and SSL? Which one is more secure, if you can compare them together? Which has more potential vulnerabilities?

asked Jan 13 '11 at 09:40

Am1rr3zA

3,093
4
19
14

233

votes

9 answers

Best Practice: ”separate ssh-key per host and user“ vs. ”one ssh-key for all hosts“

Is it better to create a separate SSH key for each host and user or just using the id_rsa key for all hosts to authenticate? Could one id_rsa be malpractice for the privacy/anonymity policies? having one ssh-key for all…

asked Aug 04 '13 at 20:12

static

2,429
2
14
7

228

votes

15 answers

Tracing the location of a mobile IP from an email

I'm a TV scriptwriter - and not hugely tech-savvy, so please bear with me... If the police have an email, sent by a suspect over a 3G or 4G network, could they use the IP address (since they know when it was sent) to find out - from the service…

asked May 06 '16 at 16:50

kjh03

1,681
2
10
5

226

votes

1 answer

How exactly does the OpenSSL TLS heartbeat (Heartbleed) exploit work?

I've been hearing more about the OpenSSL Heartbleed attack, which exploits some flaw in the heartbeat step of TLS. If you haven't heard of it, it allows people to: Steal OpenSSL private keys Steal OpenSSL secondary keys Retrieve up to 64kb of…

asked Apr 08 '14 at 07:40

user43639

226

votes

9 answers

How should I distribute my public key?

I've just started to use GPG and created a public key. It is kind of pointless if no-one knows about it. How should I distribute it? Should I post it on my profile on Facebook and LinkedIn? How about my blog? What are the risks?

asked Nov 17 '10 at 07:36

Roger C S Wernersson

3,140
4
20
12

223

votes

13 answers

Is there any reason to not show users incorrectly entered passwords after a successful login?

Our client has come up with the requirement that in case the username in question has had multiple failed login attempts, the incorrectly entered password(s) must be shown once a successful login is performed. Correctly entered information,…

asked Sep 09 '16 at 18:35

RaunakS

2,043
2
10
10

217

votes

7 answers

Does https prevent man in the middle attacks by proxy server?

There is a desktop client A connecting to website W in a https connection A --> W Somehow between A and W, there is a proxy G. A --> G --> W In this case, will G be able to get the certificate which A previously got from W? If G can get the…

asked Oct 15 '11 at 00:23

jojo

2,281
3
14
4

215

votes

4 answers

Is a rand from /dev/urandom secure for a login key?

Lets say I want to create a cookie for a user. Would simply generating a 1024 bit string by using /dev/urandom, and checking if it already exists (looping until I get a unique one) suffice? Should I be generating the key based on something else? Is…

asked May 18 '11 at 19:47

Incognito

5,244
5
29
31

213

votes

5 answers

What is a specific example of how the Shellshock Bash bug could be exploited?

I read some articles (article1, article2, article3, article4) about the Shellshock Bash bug (CVE-2014-6271 reported Sep 24, 2014) and have a general idea of what the vulnerability is and how it could be exploited. To better understand the…

asked Sep 25 '14 at 00:30

Rob Bednark

1,435
3
10
9

210

votes

10 answers

What should you do if you catch encryption ransomware mid-operation?

You boot up your computer one day and while using it you notice that your drive is unusually busy. You check the System Monitor and notice that an unknown process is using the CPU and both reading and writing a lot to the drive. You immediately do a…

asked Apr 17 '16 at 15:07

Fiksdal

3,117
3
20
29

209

votes

4 answers

Is Plaid, a service which collects user’s banking login information, safe to use?

I recently signed up for Privacy.com, which uses a service called Plaid to link a bank account. To do this, it requires the user to provide their banking username and password to a webpage from Plaid, not their bank. Then, Plaid accesses the…

asked Nov 19 '18 at 18:03

gfrung4

2,669
3
9
8

205

votes

10 answers

How safe are password managers like LastPass?

I use LastPass to store and use my passwords, so I do not have duplicate passwords even if I have to register four to five different accounts a day, and the passwords are long. How safe are password manager services like LastPass? Don't they create…

asked Nov 08 '13 at 16:10

blended

2,871
3
17
16

205

votes

6 answers

How secure is 'blacking out' sensitive information using MS Paint?

I'm wondering if it's safe to black out sensitive information from a picture just by using Microsoft Paint? Let's take in this scenario that EXIF data are stripped and there is no thumbnail picture, so that no data can be leaked in such a way. But…

asked Jun 13 '16 at 22:25

Mirsad

10,195
8
34
54

204

votes

7 answers

How do mobile carriers know video resolution over HTTPS connections?

Verizon is modifying their "unlimited" data plans. Customers in the USA can stream video at 480p -or- pay to unlock higher resolutions (both 720p and +1080p). They are not the only mobile carrier to implement rules like this. If I am on a site that…

asked Oct 26 '17 at 13:01

raithyn

1,843
2
9
10

Most Popular