Ask Different is a question and answer site for power users of Apple hardware and software. It only takes a minute to sign up.
Sign up to join this community
Anybody can ask a question
Anybody can answer
The best answers are voted up and rise to the top
As a programmer who my laptop does not generate a lot of heat, especially considering the M1 chip runs extremely cool and also my laptop fan was not activated even once during my daily works till now, can I use the laptop on the bed without worry?
asked 2 mins ago
Mister X is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I was studying the following page listing all the vulnerabilities of ubuntu. CVE Ubuntu
What I found surprising is that all vulnerabilities report that “gained access level: None”. Does that mean that there does not exist any known vulnerability which lets an attacker access your data? Does this presume that the data is encrypted with out of the box eCryptfs encryption or is it even safe without?
I saw a someone post this question here, but that was 6 years ago. How much safer is a 24 word seed vs Trezors 12 word seed? How easily can it be bruteforced? If you intend to keep your crypto for at least 10 years, maybe 12 words is not enough?
I am trying to achieve better security in my authentication system implementation with both server-side hashing and client-side hashing. (See the first reference below for more prerequisite knowledge.)
As I understand it:
Client-side hashing prevents hackers from getting a user’s plaintext password and using it for other sites when the server app is compromised.
Server-side hashing prevents hackers from logging in as users when the server database is compromised.
KDFs such as Argon2 make it expensive for hackers to brute-force a list/dictionary of common or possible plaintext passwords against a hashed password.
I’d like the save some server computing resources. So here comes my question: is it safe to directly hash “a password already hashed with Argon2 on the client-side” on the server-side with SHA-256? Here I mean “safe” by it’s at least as safe as using server-side only Argon2. Besides, The second reference below also suggests hashing the authentication token (the so-called “validator” in their article) with SHA-256. Is doing this safe?
My answer: an Argon2-hashed password or an authentication token with a length of at least 16 bytes should be safe. The reasons are:
There is no list/dictionary to try since the data is a byte string that can be anything.
A full rainbow table of all 16-byte-long keys should contain 2 ^ 128 entries, which takes at least 2 ^ 128 * 32 B = 2 ^ 133 B ≈ 8 * 10 ^ 39 B = 8 * 10 ^ 27 TB of storage, which is way too big.
Even if we take the peak Bitcoin hash rate till now 170000 Phash/s, it will still take 10 ^ 12 years to enumerate all the possibilities.
However, I am no security expert so I am not sure whether there are any other flaws. So it would be nice if someone professional could share his/her opinion on this.
PS: Here are the related articles and questions I have read and think are useful, and got me into this question.
authentication – Why is client-side hashing of a password so uncommon? – Information Security Stack Exchange
Implementing Secure User Authentication in PHP Applications with Long-Term Persistence (Login with “Remember Me” Cookies) – Paragon Initiative Enterprises Blog
I am trying to find out all the vulnerabilities associated with my application and data server (both on the same machine). So I’ve decided to run nmap to see all the ports and other information that an invader could gain to attack my servers. The result of nmap shows many services and now I am very paranoid and alarmed that what exactly are those services and should I take any action in that regard. I ran a complete nmap against the IP of my server please if you see any vulnerability that needs to be taken care of, please let me know.
Also this older question, closed as unfocused, and basically answered as “it depends”: Is it safe to store passwords in a Browser?
So I’m specifically asking about Google Chrome (v92.0.4515.159, released 2021-08-19) running on MacOS (v11.3, released 2021-04-26) without any configuration changes (Chrome default settings for its password manager)
EDIT: There’s also this much older question:
Password management in Firefox, Chrome and Safari
but given it’s 8 years old, I think an updated/modern answer (and specific to the OS/Browser) is still a valid question – open to deleting if community finds it duplicate/not answerable though)
Sometimes there are links on the email you have to click because they are agrements, but they are coming from a different URL. As of now what I’m doing is opening a private window and pasting the link there. Would this be an effective anti-phishing mechanism? Or can you still get hacked?
The reason behind my thinking of a new private window is that it doesn’t expose cookies and passwords to that window. Besides that what are other dangers that could arise?
What is the best way to click on email links then?