98
votes
Accepted
Is it a security vulnerability to declare class members as public?
Access modifiers like public/private/protected are not intended as a security boundary. And since C++ is not a memory-safe language, this cannot be a security boundary.
The laziest “attack” to access ...
- 136k
96
votes
What is the purpose of identifier-first login screens?
This is common with federated identity systems where a service authenticates users from many identity providers.
Your email address is used to look up which identity provider can authenticate you. ...
- 46.1k
59
votes
Accepted
SQL sanitizing in code with no user input
If there is never any user input at all, or the program is only used internally, the importance of sanitizing should be reduced.
But there are still a few possible reasons to always do so
If all ...
- 6,329
58
votes
Is this scenario an exception to the rule of never storing passwords in plaintext?
This is a really good example of insecure authentication, justified on the basis that if the site is compromised it is not possible to identify the person. If that's the case, why do we even need a ...
- 10.1k
54
votes
What is the purpose of identifier-first login screens?
The purpose of this is to redirect to the account's identity provider. However the use case is not selecting between personal login providers such as Facebook or Google. It's to support organisational ...
- 982
47
votes
Is Password Hashing Bad?
This is a reasonable point being justified using incorrect claims.
The issue here isn't about having users enter passwords. How do you think they're going to log in to Google/Facebook/any other third ...
- 59.5k
40
votes
SQL sanitizing in code with no user input
Parameterised queries should be your standard approach to all SQL. If you are trying to find reasons why you don't have to use them, then you are doing yourself a disservice.
In your example you have ...
- 84.4k
34
votes
SQL sanitizing in code with no user input
By using parameterized queries your SQL server doesn't have to recalculate the query execution plan each time you use a query.
This can improve performance for queries ran often.
- 13.3k
30
votes
Is this scenario an exception to the rule of never storing passwords in plaintext?
"Never store passwords in plain text" is not a rule. It is a best practice based on common security breaches on naive implementations of password protections.
In that sense, the question:
Is this ...
- 2,818
27
votes
Why should I never ever ever use Java serialization?
Any time you deserialize an object by calling ObjectInputStream.readObject, you have a remote code execution vulnerability: if someone can make you deserialize the wrong bytes, they can run any ...
25
votes
Authentication and authorisation for people with intellectual disabilities
Users don't care.
Mental disorder or not users simply don't care as much as you do about security. You could set up two factor, OTP, even physical keys and users will still wander off to the bathroom ...
- 120k
22
votes
Why should I never ever ever use Java serialization?
"never" is a strong word. However, when the official documentation of a class starts with a bold security warning:
Warning: Deserialization of untrusted data is inherently dangerous and ...
- 4,368
21
votes
Is Password Hashing Bad?
The specific claim: "Password hashing is bad" is somewhat odd. If you are supporting passwords, hashing is pretty important. The more interesting and more contentious (based on the other ...
- 30.9k
20
votes
Accepted
Difference between 'aud' and 'iss' in jwt
These are intended for scenarios where you have a token issuing authority that is not the same as the application that is the intended recipient.
This may not be different for your application.
But ...
- 3,347
20
votes
Accepted
Hiding non-user-facing executables for Windows applications?
There are easier ways to achieve the desired effect for the overwhelming majority of your users.
Clearly write in your documentation that the set of internal tools that get shipped is subject to ...
17
votes
Accepted
Should we store JWTs in database?
The positives/pro I can see of storing the JWT token in our database would be that even after assigning the token we will have the power to invalidate or deactivate the existing the tokens even before ...
- 186
17
votes
Authentication and authorisation for people with intellectual disabilities
Two obvious things.
One, there's an inadequate specification of who the security measures need to resist, and/or who stands to gain from unauthorised access. No system is wholly resistant to ...
- 12.6k
15
votes
If passwords are stored hashed, how would a computer know that your password is similar to the last one if you try resetting your password?
One way to implement this is if you reset password, you are usually asked to enter your old password as well. You can simply just use regular string similarity comparison in that situation because you ...
- 12.5k
14
votes
Is it a security vulnerability to declare class members as public?
Using public and private correctly (and following good practices in general) helps you write better code with fewer bugs, and code with fewer bugs is typically harder for an attacker to exploit. ...
- 414
14
votes
Accepted
Is masking an entered password security through obscurity?
Rather than the hand-waving "security via obscurity", I think you're best taking Kerckhoff's principle:
a cryptosystem should be secure, even if everything about the system, except the key, ...
- 26.1k
13
votes
How can we learn from Flash's vulnerabilities?
I disagree with Michael's reply. Sandboxing based on blacklisting or whitelisting does work if you implement it correctly, as then there is no way that running code can ever circumvent it. Otherwise ...
- 2,390
12
votes
If passwords are stored hashed, how would a computer know that your password is similar to the last one if you try resetting your password?
The simple answer is that a secure system does not know if they are similar.
But some systems intentionally reduce the security for a specific password in someways to prevent new passwords from being ...
- 16.6k
12
votes
Why must API keys be kept private?
It depends on what the API key does. However, if the API key is giving you access to something or controlling your access to something, why would you want other people to piggyback on the resources ...
- 85.9k
11
votes
Accepted
During account creation, is it better to generate the password automatically and send it to the user, or to let the user create his own password?
The advntage of the email approach is that you ensure by this way that the user did provide a valid email account that he/she controls.
However, the email channel is notoriously insecure. This means ...
- 82.2k
10
votes
Accepted
Should access permissions and roles be included in payload of JWT?
The purpose of including claims in the token is so you don't have to have that communication between the resource and the authentication provider.
The resource can just check that the token has a ...
- 84.4k
10
votes
Is this scenario an exception to the rule of never storing passwords in plaintext?
In Short: No
If you forget your password, you ask the professor, who can look it up
I see no real reason in the question to ignore the secure authentification guidelines here. Many (too many) people ...
- 200
9
votes
Keeping sensitive data encrypted in memory
When you are talking about security, it's important to clearly define what you are worried about. This is typically called a 'threat model'. I gather that you are concerned with someone capturing ...
- 30.9k
9
votes
Store password in open source project
You can put that sensitive data (emails, API keys) in a separate "env" file which is not added to version control but instead configured during deployment.
For ease of use you can include in VCS an "...
- 324
9
votes
How much damage can a rogue PHP developer do?
Giving a malicious developer access to any portion of your infrastructure is extremely risky. They could write code from many different points that either give them back doors to your services or, ...
- 219
9
votes
Accepted
How to avoid pushing Github Enterprise code to my personal Github account by mistake if both are configured in my work computer?
Git, on the client side, does not associate the authentication-method with the repository-address. Accidental pushes to personal repositories are thus NOT possible by simply changing the ssh-keys.
...
- 236
Only top scored, non community-wiki answers of a minimum length are eligible