Jakob Nielsen today wrote an article calling for all log-in forms to display passwords in plaintext, rather than masking them with bullets or stars. He argues that this increases usability (users feel more confident because they can see their password as they type it), and also increases security (a more confident user will choose stronger [...]
Twitter has had a lot of embarrassing security problems in the past, but the worst part is that they still haven’t learned from their mistakes. Apparently a recent redesign left the profile page vulnerable to a very simple XSS attack.
Some enterprising hacker quickly seized the opportunity to promote Twitter-clone StalkDaily by infecting the profiles of [...]
In his latest blog post, Andy Sloane issued a challenge to create a key-generator for his bespoke software licensing scheme.
Looking through his code, I quickly found that he was using RSA, and that valid keys decrypted to 12345678 under a hardcoded RSA public key.
In my response on the Reddit discussion, I explained creating a keygen [...]
Jimmy Ruska has taken the time to combine data from 3 compromised-password lists, and the results are pretty interesting.
If an attacker can try just a single password against every user on your web application, he’ll compromise about 1% of them. Even with a fairly stringent 3-attempt lockout policy, about 2-3% of your users will be [...]
Newly released RubyGem Haddock offers to generate easy-to-remember passwords, but how secure are they?
Haddock-generated passwords are of the form {word}{number}{symbol}{word}, and are generated to be at-most as long as a user-specified length. So for example, an 8-character Haddock password might be “amy7@rax”.
For a relatively low-security password, like you might use for your Twitter account, this is [...]