• #security on software development security and web security, security best practices and discussions, break-ins and countermeasures. Everything you ever wanted to know about software security but were afraid to ask, for fear of not understanding the answer!

Password storage in summary

Password storage in summary

We discussed the password storage in the article Speaking of passwords…and concluded that password implementation requires a cryptographically strong, contemporary (as in “very, very slow”) one-way hash function with a randomly generated salt for every password. This is pretty much all you need to take care of. Salting is fairly straight-forward but it is essential to ...

Read More

News: Website and app security tips

TechRepublic has an interesting article “Website and app security tips for software developers” that talks in a very short space about a whole bunch of things, from the “shelf life of software developers” to the advice on security for the website developer. It provides in particular an interesting insight into why a person thoroughly familiar ...

Read More

Philosophy of door locks

When working on security, there is something extremely important to keep in mind at all times. We are not trying to make systems impenetrable. We are trying to make it real, real hard for the attacker, that’s all. If an attacker has physical access to your system, you lost. All measures, passwords, firewalls, everything is ...

Read More

Speaking of passwords…

Wouldn’t it be quite logical to talk about passwords after user names? Most certainly. Trouble is, the subject is very, very large. Creating, storing, transmitting, verifying, updating, recovering, wiping… Did I get all of it? It is going to take a while to get through all of that, do you reckon? Let’s split the subject ...

Read More

Biometrics – any good?

I think I already talked about this subject previously but not here. Anyhow, the subject bears repeating. Many go “yippee!” at the mention of biometrics and start to think their user authentication problem is solved. Do not pay attention, they will end up in the newspaper headlines fairly soon, either for massive security failures or ...

Read More

Keep it simple – user names

All right, now after the lengthy discussion on user names and ids let’s have some simple rules: Do not use sequential numbers for user ids. Do use random numbers for user ids. Do not use any scheme for user names that ties (semi-)public user information to the user name. Use user nicknames (aliases) if “natural” ...

Read More

What’s in a name?

Here is something quite interesting. Nobody ever considers the user names. They are just sort of “given”. Well, are they? Most of the time, they are not. They are assumed and designed into the system one way or another. And they can have an impact on security. An old saying goes that a secure Windows ...

Read More

Why bother?

Hmm… Good question… Well, let’s get this straightened out before we jump into other interesting subjects. Every single website and application, every single computer system gets broken into. For fun, money, fame, accidentally. This is just the way it is and I have to accept this as the current reality. I may not like it ...

Read More

Welcome to “Holy Hash!”

This is a lighter software security blog. I start it now mainly because of two reasons. First, something has to be done. The recent break-ins at the likes of LinkedIn and Yahoo show that even at the large companies people do not understand the basics of security. By looking at what is proposed and advised ...

Read More
Copyright © Holy Hash! All Rights Reserved.