Highest scored questions

How does SSL work? I just realised we don't actually have a definitive answer here, and it's something worth covering. I'd like to see details in terms of: A high level description of the protocol. ...

How accurate is this XKCD comic from August 10, 2011? I've always been an advocate of long rather than complex passwords, but most security people (at least the ones that I've talked to) are against ...

If I hash passwords before storing them in my database, is that sufficient to prevent them being recovered by anyone? I should point out that this relates only to retrieval directly from the database,...

I have always wondered why so many websites have very firm restrictions on password length (exactly 8 characters, up to 8 characters, etc). These tend to be banks or other sites where I actually care ...

On the surface bcrypt, an 11 year old security algorithm designed for hashing passwords by Niels Provos and David Mazieres, which is based on the initialization function used in the NIST approved ...

If you expect to store user password securely, you need to do at least the following: $pwd=hash(hash($password) + salt) Then, you store $pwd in your system instead of the real password. I have seen ...

Where I work I'm forced to change my password every 90 days. This security measure has been in place in many organizations for as long as I can remember. Is there a specific security vulnerability ...

I get confused with the terms in this area. What is SSL, TLS, and HTTPS? What are the differences between them?

I need to explain SQL injection to someone without technical training or experience. Can you suggest any approaches that have worked well?

I've been playing around with different login forms online lately to see how they work. One of them was the Facebook login form. When I logged out of my account my email and password were ...

A developer, let's call him 'Dave', insists on using home-brew scripts for password security. See Dave's proposal below. His team spent months adopting an industry standard protocol using Bcrypt. ...

Chinese police are forcing whole cities to install an Android spyware app Jingwang Weishi. They are stopping people in the street and detaining those who refuse to install it. Knowing that I may be ...

When generating SSH authentication keys on a Unix/Linux system with ssh-keygen, you're given the choice of creating a RSA or DSA key pair (using -t type). What is the difference between RSA and DSA ...

I just realized that, in any language, when you save a password in a variable, it is stored as plain text in the memory. I think the OS does its job and forbids processes from accessing each other's ...

I'm making a REST-API and it's straight forward to do BASIC auth login. Then let HTTPS secure the connection so the password is protected when the api is used. Can this be considered secure?