background preloader

Security

Facebook Twitter

How To Safely Store A Password. 31 Jan 2010 Use bcrypt Use bcrypt.

How To Safely Store A Password

Use bcrypt. Use bcrypt. Use bcrypt. Why Not {MD5, SHA1, SHA256, SHA512, SHA-3, etc}? These are all general purpose hash functions, designed to calculate a digest of huge amounts of data in as short a time as possible. A modern server can calculate the MD5 hash of about 330MB every second. And that’s without investing anything. If you’re willing to spend about 2,000 USD and a week or two picking up CUDA, you can put together your own little supercomputer cluster which will let you try around 700,000,000 passwords a second. Salts Will Not Help You It’s important to note that salts are useless for preventing dictionary attacks or brute force attacks. Salt or no, if you’re using a general-purpose hash function designed for speed you’re well and truly effed. bcrypt Solves These Problems How? How much slower is bcrypt than, say, MD5? So we’re talking about 5 or so orders of magnitude. Tl;dr Use bcrypt. Updated February 24th, 2011 Isn’t bcrypt just Blowfish?

Solutions to Cross-Site Scripting (XSS) Attack. <div class="greet_block wpgb_cornered greet_text"><div class="greet_image"><a href=" rel="nofollow"><img src=" alt="WP Greet Box icon" /></a></div> Hello there!

Solutions to Cross-Site Scripting (XSS) Attack

If you are new here, you might want to <a href=" rel="nofollow"><strong>subscribe to the RSS feed</strong></a> for updates on this topic. <div class="c2"></div><div class="greet_block_powered_by">Powered by <a href=" title="WP Greet Box WordPress Plugin" class="c3">WP Greet Box</a><a href=" title="WordPress Plugin" class="c3">WordPress Plugin</a></div><div class="c2"></div></div> Recently i wrote an article on Solutions to SQL Injection Attack that have all the great solutions to tackle SQL Injection Attack.

In this article, i would like to discuss with you about Cross-Site Scription attack which is also known as XSS attack. Cross-Site Scripting Attack What is cross-site scripting attack? Simple persistent attack DOM-based attack Non-Persistent Alice often visits a particular website, which is hosted by Bob. Persistent. Solutions to SQL Injection Attack. Security is one of the major issue we want to take care of other than meeting dateline.

Solutions to SQL Injection Attack

Especially when it comes to server data. We always want our data to be correct and secure. No one should be able to manipulate these data and these data should only be confine to people that have access to it. One should need to know the attacks on server data in order to better secure them. In this article, we will discuss SQL injection attack on databases. SQL Injection Attack SQL Injection Attack is the most common type of problem most web system face. PHP Secure Login Tips And Tricks. Every website on the internet faces a similar threat, hackers.

PHP Secure Login Tips And Tricks

Every single website can be a target of a hacker if security measures aren’t implemented properly especially when it comes to login pages where our most sensitive data are being held. Hence, there is a need to better understand how well your login page has been implemented to be considered as really secure. In this article, you will get a list of PHP secure login tips and tricks that will definitely help you decide on your secure rating of your login page. Length Of your username and password Both your username and password should be at least 6-8 characters long. Encrypt your password We all know that encryption is necessary in term of any password. For people who are using PHP 5.12 and below, you can try to use mhash which is an open source class for PHP. SHA-2 should be used to secure your future application. Double hashing is *worse* security than a regular hash.

Better Hashing Password in PHP. Every developer should know that storing any type of password in plain text is the worst possible decision anyone can make in a secure environment.

Better Hashing Password in PHP

Between security and confidentiality which one will you choose? Nowadays hacking are perform through social engineering or an inside job, by an employee or trusted person. How exactly confident are you towards securing your stuff and confidentiality of your user? Most of us will know that the Reddit suffer from such problem when all their username and password were compromised as their password wasn’t hashed and stored as plain text. And twitter was attacked through social engineering recently. Enhance Security Hash Function For Web Development. Previously i wrote an article on Better Hashing Password in PHP and PHP Secure Login Tips And Tricks . Both these articles are closely link to hash function and i find that i really didn’t answer hash function on these two articles clearly enough. Especially on the article Better Hashing Password in PHP where i find my reader get confused on some of the security term used and caused some misunderstanding on the article.

Hence, i came up with an idea to write out an article to detail some hash function question and improvement any developer can make to further secure their website. You will get a better understanding on security hash function and apply it on your web development once this is over. Stop Using MD5 or SHA-1 in the future If you have read Better Hashing Password in PHP , US-CERT of the U. Why Collision Is Bad Any hash function will face collision eventually due to pigeonhole principle whenever members of a very large set are mapped to a relatively short bit string. Using SALT. Writing Secure PHP. OWASP. WebAppSec/Secure Coding Guidelines. The purpose of this page is to establish a concise and consistent approach to secure application development of Mozilla web applications and web services.

WebAppSec/Secure Coding Guidelines

The information provided here will be focused towards web based applications; however, the concepts can be universally applied to applications to implement sound security controls and design. This page will largely focus on secure guidelines and may provide example code at a later time. The secure coding guidelines page is a living document and constantly updated to reflect new recommendations and techniques. Information that is listed is accurate and can be immediately used to bolster security in your application.

If you have comments, suggestions or concerns please email mcoates <at> mozilla.com The guidelines are discussed within logical security areas. Here are a few items that are often missed and are relevant for most every website. Authentication Attacks of Concern Password Complexity Critical Sites.