639
votes
Accepted
Why can I log in to my Facebook account with a misspelled email/password?
Facebook is allowing you to make a handful of mistakes to ease the login process. A Facebook engineer explained the process at a conference. The gist of it is that Facebook will try various ...
- 4,045
185
votes
Accepted
Why would someone open a Netflix account using my Gmail address?
I think it's likely that someone is trying to trick you into paying for Netflix for them. From: https://jameshfisher.com/2018/04/07/the-dots-do-matter-how-to-scam-a-gmail-user/:
More generally, the ...
- 2,095
153
votes
Accepted
Company does not want any names on phishing reports
This initial campaign established a baseline first. So, yes, it's normal. "How do we as a company stand? To what level do we need to train? Do we have, as a whole, secure users or do we have, as a ...
- 2,798
145
votes
Why is storing passwords in version control a bad idea?
The way I see it, not storing passwords in Git (or other version control) is a convention. I suppose one could decide not to enforce it with various results, but here's why this is generally frowned ...
- 6,724
145
votes
Is displaying remaining password retry count a security risk?
Locking accounts is a bad idea in the first place. It might seem like you're making your organization more secure by keeping out "bad people" who are "guessing" at passwords using brute force attacks,...
- 2,980
144
votes
Accepted
Logged out of Facebook on all devices on a sudden. Should I be worried about being hacked?
Facebook reported a data leak today and forced a large number of accounts to log off as a precaution. Source: NY Times and Facebook.
That NYT article says "The company forced more than 90 million ...
- 6,998
143
votes
Accepted
Why can't I just let customers connect directly to my database?
TL,DR: Don't.
(My-)SQL permissions are pretty fine-grained, so I'd wager there shouldn't be any obvious security issues
Even with permission on the record level, it does not scale easy. If a user ...
- 56.8k
129
votes
Company does not want any names on phishing reports
No, because by giving names you are assigning blame, security needs to move away from blaming individuals and instead take it as a whole. It's the same as finding a security vulnerability in a web ...
- 3,315
119
votes
Accepted
Why are files that are not assigned to a user considered a security risk?
On a Linux system you can easily delete a user without having to delete any files owned by that user. Such a file will stay in place and the file owner's user ID (which is stored as an attribute of ...
- 45.2k
115
votes
Accepted
Website returning plaintext password
Quite obviously, if they can display your password, then they are storing your password somehow. They might cache your password on the client-side when you log in (for unjustifiable reasons, like ...
- 134k
112
votes
Accepted
Is it good or bad practice to allow a user to change their username?
Many people have looked at the reasons not to allow name changes from both a security and a community standpoint. However, there are plenty of legitimate reasons to allow username changes, even if the ...
- 1,342
112
votes
Is this Paypal Github SDK reference really a dangerous site?
No, it's not dangerous at all. Your browser is warning you because a non-Paypal website has Paypal in its name. This is a common technique used by phishing sites that attempt to fool you into thinking ...
- 67.8k
104
votes
Employer makes me use what I believe to be an insecure website for HR functions. What to do?
To start with the easy bit: you do not have to put real information as the answers to the questions. Random strings work best if you are really paranoid and store them in a password manager just like ...
- 134k
103
votes
Accepted
Email received regarding Security flaw in website
TL;DR: It's probably well-intentioned and not a scam, but just poorly written.
I don't know of any kind of scam that would be based on this. Certainly there have been attempts to extort website ...
- 16.2k
96
votes
Why is storing passwords in version control a bad idea?
First, the non-security reason:
Password Change Workflow
Passwords change independently of a software application code. If a DBA changes a database password, does it make sense for developers to ...
- 971
93
votes
Accepted
Can a hacker, that knows my IP address, remotely access accounts I have left logged in on my computer?
No, they would have to have access to your browser cookies in order to abuse them to log into a site you left logged in. Merely knowing your public IP address would not allow them to log into any ...
- 67.8k
90
votes
Bank wants my Online-banking PIN through the telephone
It is becoming quite commonplace in the US. Many banks and other financial institutions require the caller to provide an identification number that has been set up beforehand to verify they are ...
- 853
88
votes
Brutalized VPS recovery data now available. Considerations?
I'll start with what to do with your current system:
Get in and make a backup of everything.
Unless you can demonstrate major losses ($10k+), I wouldn't even begin to think about involving law ...
- 16.2k
88
votes
Accepted
Are password managers more secure than a slightly different password for each website?
Yes, decent password managers are more secure than using any password pattern.
You have a password manager, and it has created you random passwords:
6AKQ3)mcV!xX3b8-ZgncCe%tdn!&.@3X
a6/...
- 19.7k
87
votes
Why can I log in to my Facebook account with a misspelled email/password?
It is long know that Facebook allows you on purpose to log in with the password case reversed or the first character capitalized (see this article). They do this while storing only a hashed password. ...
- 19.5k
83
votes
Accepted
What is the suggested best practice for changing a user's email address?
The problem I see with confirming the old email address is that sometimes people change address because they cannot access the old one anymore. For example, the old address might have expired (and ...
- 16k
78
votes
Accepted
Bank wants my Online-banking PIN through the telephone
In my opinion, you did the right thing. There is no situation in which you should ever be required to give up a PIN either over the phone or in person, with the exception of typing it into the (HTTPS) ...
- 2,781
78
votes
Accepted
Why do I need two parameters in an HTTP parameter pollution attack?
The idea would be that different parts of the server code interpret the request in different ways, resulting in an application that is vulnerable to HTTP Parameter Pollution.
For your example /...
- 14.5k
78
votes
Accepted
The most secure way to handle someone forgetting to verify their account?
What I see most commonly is allowing the authentication and signing the user in, but locking meaningful features away until the email is verified. You should bubble up an error reminding the user to ...
- 2,756
77
votes
Accepted
Why is SMS used as a way of verifying a user's mobile, when it is not even encrypted in transit?
Yes, you're right. SMSes are not recommended in any two-factor authentication (2FA) process nowadays. They can be easily intercepted and modified.
That's why a lot of companies are recommending other ...
- 1,594
73
votes
User Account with no password
Just because you had not set a password, that does not mean that your account could be accessed. Without seeing the code, I cannot be sure, but it is possible that you could not log in to your account ...
- 134k
70
votes
User Account with no password
As a programmer who has created a user signup workflow like this I can assure you that there is nothing to worry about.
A little background info
When you enter your email, no user account is created (...
- 2,752
69
votes
Accepted
False 'Security alert' from Google - every login generates mails from '[email protected]'
I guess I receive those mails because I use a VPN (always same public IP) and some privacy plugins in Firefox.
Yes, this is likely the reason. You use these plugins in order to prevent that the other ...
- 213k
Only top scored, non community-wiki answers of a minimum length are eligible