Security

What do you think of when you see this little guy on a webpage: You’re probably thinking something along the lines of “it means the page is secure”. The more tech savvy among you may suggest that it means HTTPS has been used to encrypt the content in transit. The problem is that it doesn’t mean anything of the kind. In fact it had absolutely nothing to do with website security. And therein lies the problem – the padlock lies to us, it implies things that it is not and it’s downright misleadi...

A little while back I took a look at some recently breached accounts and wrote A brief Sony password analysis [https://www.troyhunt.com/2011/06/brief-sony-password-analysis.html]. The results were alarming; passwords were relatively short (usually 6 to 10 characters), simple (less than 1% had a non-alphanumeric character) and predictable (more than a third were in a common password dictionary). What was even worse though was uniqueness; 92% of common accounts in the Sony systems reused password...

So my conference presentation on the tyranny of evil is now done and dusted at DDD Sydney [http://www.dddsydney.com]. Given I’m writing this in advance with the intention of making the material available immediately afterwards, I’ll need to rely on others to comment on how it all went. The important bit is that the slides are now available here [http://dl.dropbox.com/u/8529390/Protecting%20your%20web%20applications%20from%20the%20tyranny%20of%20evil.ppsx] and all the code used in the examples...

This content is now available in the Pluralsight course "OWASP Top 10 Web Application Security Risks for ASP.NET" [http://www.pluralsight.com/courses/owasp-top10-aspdotnet-application-security-risks] Cryptography is a fascinating component of computer systems. It’s one of those things which appears frequently (or at least should appear frequently), yet is often poorly understood and as a result, implemented badly. Take a couple of recent high profile examples in the form of Gawker and rootkit.c...

So the Sony saga continues. As if the whole thing about 77 million breached PlayStation Network accounts [http://www.theage.com.au/digital-life/games/playstation-privacy-breach-77-million-customer-accounts-exposed-20110427-1dvhf.html] wasn’t bad enough, numerous other security breaches [http://attrition.org/security/rants/sony_aka_sownage.html] in other Sony services have followed in the ensuing weeks, most recently with SonyPictures.com [http://www.sonypictures.com/]. As bad guys often like t...

A couple of different friends sent me over a link to an article about The Usability of Passwords [http://www.baekdal.com/tips/password-security-usability] this weekend, clearly thinking it would strike a chord. Well, let’s just say I was enthralled before I even finished the second line: > Security companies and IT people constantly tells us that we should use complex and difficult passwords. This is bad advice The crux of the article (and subsequent FAQ), is that so long as a password is s...

An unexpected email was waiting for me when I got off the plane from a recent work trip to Thailand on Saturday: > Congratulations! We are pleased to present you with the 2011 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Developer Security technical communities during the past year. Given this was sent out on April 1st, one could be...

Edit (6 Oct 2020): It looks like the WCSA website has disappeared since originally writing this article and the domain is now parked on a porn site. The Google Code archive still exists so the blog post is still relevant, just be conscious that this project has obviously gone unloved for some time now and make take you to unexpected places. Ah, automation. Any time I find myself doing the same thing more than once, I get the inclination to bundle it all up into something that can begin happenin...

Banks don’t get it. Telcos struggle with it. Airlines haven’t got a clue. That’s right folks, its password time again. Earlier in the year I wrote a little post about the who’s who of bad password practices [https://www.troyhunt.com/2011/01/whos-who-of-bad-password-practices.html]. I named, I shamed and I got a resounding chorus of support. The point was made. But it still bugged me. Why were our banks and airlines so consistently forcing us to choose poor passwords? Why do they constrain our...

Let’s assume you log onto a bunch of different websites; Facebook, Gmail, eBay, PayPal probably some banking, maybe a few discussion forums and probably much, much more. Do you always create unique passwords such that you never use the same one twice? Ever? Do your passwords always use different character types such as uppercase and lowercase letters, numbers and punctuation? Are they “strong”? If you can’t answer “yes” to both these questions, you’ve got yourself a problem. But the thing is,...