security
Username and password in https url
When you put the username and password in front of the host, this data is not sent that way to the server. It is instead transformed to a request header depending on the authentication schema used. Most of the time this is going to be Basic Auth which I describe below. A similar (but significantly … Read more
Should I impose a maximum length on passwords?
Passwords are hashed to 32, 40, 128, whatever length. The only reason for a minimum length is to prevent easy to guess passwords. There is no purpose for a maximum length. The obligatory XKCD explaining why you’re doing your user a disservice if you impose a max length:
How will a server become vulnerable with chmod 777?
It allows filesystem content to be viewed and/or modified by anyone: assuming the attacker already has general system access which is very common on shared hosting platforms .. some are more “hardened” than others from the start. Here is a small incomplete list of possible attack vectors: “your safe code” could be overwritten with “their … Read more
How to pass the value of a variable to the standard input of a command?
Passing a value to standard input in Bash is as simple as: your-command <<< “$your_variable” Always make sure you put quotes around variable expressions! Be cautious, that this will probably work only in bash and will not work in sh.
Preventing Brute Force Logins on Websites
I think database-persisted short lockout period for the given account (1-5 minutes) is the only way to handle this. Each userid in your database contains a timeOfLastFailedLogin and numberOfFailedAttempts. When numbeOfFailedAttempts > X you lockout for some minutes. This means you’re locking the userid in question for some time, but not permanently. It also means … Read more
Is it possible to reverse a SHA-1 hash?
No, you cannot reverse SHA-1, that is exactly why it is called a Secure Hash Algorithm. What you should definitely be doing though, is include the message that is being transmitted into the hash calculation. Otherwise a man-in-the-middle could intercept the message, and use the signature (which only contains the sender’s key and the timestamp) … Read more
IIS7, web.config to allow only static file handler in directory /uploads of website
Add the following to a web.config file in the folder containing the files you wish to be served only as static content: <configuration> <system.webServer> <handlers> <clear /> <add name=”StaticFile” path=”*” verb=”*” modules=”StaticFileModule,DefaultDocumentModule,DirectoryListingModule” resourceType=”Either” requireAccess=”Read” /> </handlers> <staticContent> <mimeMap fileExtension=”.*” mimeType=”application/octet-stream” /> </staticContent> </system.webServer> </configuration>
Send mail via Gmail with PowerShell V2’s Send-MailMessage
Here’s my PowerShell Send-MailMessage sample for Gmail… Tested and working solution: $EmailFrom = “notifications@somedomain.com” $EmailTo = “me@earth.com” $Subject = “Notification from XYZ” $Body = “this is a notification from XYZ Notifications..” $SMTPServer = “smtp.gmail.com” $SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, 587) $SMTPClient.EnableSsl = $true $SMTPClient.Credentials = New-Object System.Net.NetworkCredential(“username”, “password”); $SMTPClient.Send($EmailFrom, $EmailTo, $Subject, $Body) Just change $EmailTo, and … Read more
If you use HTTPS will your URL params will be safe from sniffing? [duplicate]
Yes your URL would be safe from sniffing; however, one hole that is easily overlooken is if your page references any third party resources such as Google Analytics, Add Content anything, your entire URL will be sent to the third party in the referer. If its really sensitive it doesn’t belong in the query string. … Read more