security

问题 When typing in html forms, browsers like firefox or ie store the values, sometimes quietly. So when typing in another webforms, the browser smartly suggest the same information. Another method to show the dropdown list is double-clicking an empty textbox. In a e-commerce website, the customer type the credit card number, and another sensitive information. How I do to avoid or block the browser to store that sensitive information? Another worry is about tampered form data stored (by a malware,

问题 There are several useful answers on SO regarding prevention of brute forcing a password of a web service by applying throttling. I couldn't find any good numbers though and I have little expertise in this area, so the question is: How many attempts does it usually take to brute-force an average password of 6 or more characters (with no additional knowledge that may help, but taking into account that passwords are probably prone to dictionary attacks) and based on that, what are meaningful

问题 There are several useful answers on SO regarding prevention of brute forcing a password of a web service by applying throttling. I couldn't find any good numbers though and I have little expertise in this area, so the question is: How many attempts does it usually take to brute-force an average password of 6 or more characters (with no additional knowledge that may help, but taking into account that passwords are probably prone to dictionary attacks) and based on that, what are meaningful

问题 I would like to encrypt the passwords on my site using a 2-way encryption within PHP. I have come across the mcrypt library, but it seems so cumbersome. Anyone know of any other methods that are easier, but yet secure? I do have access to the Zend Framework, so a solution using it would do as well. I actually need the 2-way encryption because my client wants to go into the db and change the password or retrieve it. 回答1: You should store passwords hashed (and properly salted ). There is no

问题 In my application I use form-based authentication with a LDAP-Realm. For Authorization I use a database. As I understand this works as follows App --> (user, pass) --> LDAP <-- OK, user exists -- --> ask for security roles for 'user' --> JACC / Database <-- Administrator -- Can I hook into the process where my application calls ask for security roles for 'user' ? Background: LDAP says: Okay, 'user' is authentified Database : give me all roles where username = user And now I want to customize

问题 We have 2 web applications, both secured using HTTPS (server-side certificates only) and a single sign-on authentication system. In App1, a user will click a link which then needs to “drill down” into a page in App2. They share the same domain and SSL certificate, but are physically not the same app. When App1 forwards or redirects the request to App2, it includes an authentication token in the request so App2 can verify the user’s identity. App1 knows what information the user is authorized

问题 This is a variation on an existing question in SO about securing/obfuscating .Net applications in general. I'm developing an API in C# that includes some algorithms I'm keen to protect. I understand no method will be perfect, but what's the generally accepted method for doing this? I'd like my clients to be able to code against the API but I don't want them to reverse engineer what's inside (at least I don't want to make it easy for them). If I obfuscate the code, won't that also obfuscate

问题 I've created a login system that uses cookies and stores a session ID in a database, so your login will only work with that particular session ID. I realise this has a few problems: If you login on another device the session ID changes (no multi logins) The session ID is really the only thing identifying the user as logged in (I'm not really sure if this is a security risk since the cookie is domain specific) However I want to retain the persistant login that comes with cookies while still

问题 Does adding a certificate exception in Firefox tell it to trust a certificate, an address, or a combination of both? See the following hypothetical: First, I hypothetically visit https://foo.com, which uses a self-signed certificate. My browser alerts me that the certificate is self-signed, but I choose to add an exception (in firefox 40's settings under Advanced > Certificates > View Certificates > Servers ). Now let's say I go to https://bar.com, and it presents the exact same certificate.

问题 I came across an article about Car remote entry system at http://auto.howstuffworks.com/remote-entry2.htm In the third bullet, author says, Both the transmitter and the receiver use the same pseudo-random number generator. When the transmitter sends a 40-bit code, it uses the pseudo-random number generator to pick a new code, which it stores in memory. On the other end, when the receiver receives a valid code, it uses the same pseudo-random number generator to pick a new one. In this way, the