The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

  • My badges

  • Twitter Updates

  • My Flickr Stream

  • Pages

  • All categories

  • Enter your email address to subscribe to this blog and receive notifications of new posts by email.

    Join 1,708 other followers

Archive for the ‘Security’ Category

There are still sites limiting password lengt to low values like 20 or 15. Don’t!

Posted by jpluimers on 2019/08/26

There are still sites limiting password lengt to low values like 20 or 15. Don’t!

The why at [WayBackImplement Proper Password Strength Controls: Password Length has been in place since October 2012, since when cracking passwords has become way faster, so risk at length 20 back then is now a risk at something like length 40.

Password Length

Longer passwords provide a greater combination of characters and consequently make it more difficult for an attacker to guess.

  • Minimum length of the passwords should be enforced by the application.
    • Passwords shorter than 10 characters are considered to be weak (NIST SP800-132).

While minimum length enforcement may cause problems with memorizing passwords among some users, applications should encourage them to set passphrases (sentences or combination of words) that can be much longer than typical passwords and yet much easier to remember.

  • Maximum password length should not be set too low, as it will prevent users from creating passphrases. Typical maximum length is 128 characters.
    • Passphrases shorter than 20 characters are usually considered weak if they only consist of lower case Latin characters.

–jeroen

via:

 

Posted in LifeHacker, Power User, Security | Leave a Comment »

CAA Mandated by CA/Browser Forum | Qualys Blog

Posted by jpluimers on 2019/07/22

[WayBack] CAA Mandated by CA/Browser Forum | Qualys Blog

Certification Authority Authorization (CAA), specified in RFC 6844 in 2013, is a proposal to improve the strength of the PKI ecosystem with a new control to restrict which CAs can issue certificates…

Related:

–jeroen

Posted in Conference Topics, Conferences, DNS, Encryption, Event, HTTPS/TLS security, Internet, Power User, Security | Leave a Comment »

UPC Cable Modem / Ziggo Connect Box / Compal CH7465LG · Issue #122 · reverse-shell/routersploit

Posted by jpluimers on 2019/07/22

I wonder if this one is still exploitable: UPC Cable Modem / Ziggo Connect Box / Compal CH7465LG · Issue #122 · reverse-shell/routersploit

–jeroen

Posted in Power User, Security | Leave a Comment »

Government & Govt Owned – Netherlands – Phishing Scorecard

Posted by jpluimers on 2019/07/12

The archive is of late 2017; I wonder what the state is now: [WaybackGovernment & Govt Owned – Netherlands – Phishing Scorecard

This Phishing Scorecard is the current situation of the security of e-mail stream banks compared. If a bank is one of the technical building blocks to implement in their e-mail security the red cross will be a green check mark. Once a bank’s security policy has only green check marks will stand up and protect them 40% of their customers.

–jeroen

Via: [WayBack‘Mailservers Tweede Kamer missen beveiliging tegen e-mailspoofing’ – update – IT Pro – Nieuws – Tweakers

De mailservers van de Tweede Kamer missen beveiligingsmaatregelen die e-mailspoofing tegen moeten gaan, waardoor het mogelijk is om uit naam van politici e-mails te versturen. Dat blijkt uit een onderzoek van Follow the Money.

Posted in Power User, Security | Leave a Comment »

Some links about the TCP SACK PANIC attacks on Linux and FreeBSD Kernels

Posted by jpluimers on 2019/06/20

The TCP SACK vulnerabilities as found by Netflix: [WayBack] security-bulletins/2019-001.md at master · Netflix/security-bulletins · GitHub.

Easy, but slow workaround from [WayBack] linux – How to disable TCP SACK for CentOS? – Super User:

Temporary (until boot):

echo "0" > /proc/sys/net/ipv4/tcp_sack

Permanent (even after boot):

echo "net.ipv4.tcp_sack = 0" >> /etc/sysctl.conf
sysctl -p

Coverage:

–jeroen

Posted in *nix, *nix-tools, Communications Development, Development, Internet protocol suite, Power User, Security, TCP | Leave a Comment »

 
%d bloggers like this: