I started building ASafaWeb [https://asafaweb.com] – the Automated Security Analyser for ASP.NET websites – about a year back to try and automate processes I found I kept manually doing, namely checking the security configuration of ASP.NET web apps. You see, the problem was that I was involved in building lots of great apps but folks would often get little security configurations wrong; a missing custom errors page, stack traces bubbling up or request validation being turned off among numerous...

Update, 14 Feb 2014: A year and a half on from writing this, Tesco has indeed suffered a serious security incident almost certainly as a result of some of the risks originally detailed here. Read more about it in The Tesco hack – here’s how it (probably) happened [https://www.troyhunt.com/2014/02/the-tesco-hack-heres-how-it-probably.html]. -------------------------------------------------------------------------------- Let me set the scene for this post by sharing a simple tweet from last nig...

Last month I wrote about our password hashing having no clothes [https://www.troyhunt.com/2012/06/our-password-hashing-has-no-clothes.html] which, to cut to the chase, demonstrated how salted SHA hashes (such as created by the ASP.NET membership provider), offered next to no protection from brute force attacks. I’m going to assume you’re familiar with the background story on this (read that article before this one if not), but the bottom line was that cryptographic hashing of passwords needs to...

It happened again last week. No, not Yahoo! Voices [https://www.troyhunt.com/2012/07/what-do-sony-and-yahoo-have-in-common.html], not the Phandroid Android forums [http://www.zdnet.com/android-forums-hacked-1-million-user-credentials-stolen-7000000817/] , not NVidia [http://www.zdnet.com/nvidia-confirms-hackers-swiped-up-to-400000-user-accounts-7000000903/] and not Formspring [http://www.zdnet.com/formspring-resets-millions-of-passwords-amid-breach-7000000643/] , this time it was Billabong, ou...

Another week, another breach. This time Yahoo! was the target with 453,491 email addresses and passwords from their Voices service being exposed for all to see [https://www.trustedsec.com/july-2012/yahoo-voice-website-breached-400000-compromised/] . Whilst unfortunate for those involved, these breaches do give us some unique insight into password practices and as is usually the case, it’s not pretty. Back in June last year after one of many Sony breaches I conducted a brief analysis [https://ww...

In the beginning, there was password hashing and all was good. The one-directional nature of the hash meant that once passed through a hashing algorithm the stored password could only be validated by hashing another password (usually provided at logon) and comparing them. Everyone was happy. Then along came those pesky rainbow tables. Suddenly, huge collections of passwords could be hashed and stored in these colourful little tables then compared to existing hashed passwords (often breached fro...

Phishing scams are getting tougher to pull off these days. All those damn email client and browser defences are getting in the way of hardworking phishermen and women going about their daily business. But – dear phisherpeople – you’re also not doing yourselves any favours when it comes to crafting a veneer of decency and honesty in your communications, in fact I propose that you’re missing a significant number of opportunities by neglecting some basics. So let me share some insight, if you will...

No really, this is my LinkedIn password: y>8Q^<6mqKEA4hac Well it was my LinkedIn password until earlier today when it became apparent that LinkedIn had suffered what could only be described as a massive security breach [http://money.cnn.com/2012/06/06/technology/linkedin-password-hack/index.htm?iid=SF_T_Lead] . The disclosure of 6 million passwords used in one of the world’s premier social networking sites is nothing short of astonishing. But what’s also astonishing is that this exercise onc...

There’s a pattern in the following stills from various scammer videos, see if you can spot it. Here’s one run by Comantra I captured back in Feb [http://www.youtube.com/watch?v=kjKjyMKj3n4&feature=player_detailpage#t=2403s]: And here’s another one [http://www.youtube.com/watch?v=nhqxOFH2rmI&feature=player_detailpage#t=713s] from when an unknown scammer called me in late April: Now here’s one from Noah Magram [http://www.youtube.com/watch?v=jb69H7l0vJA&feature=player_detailpage#t=20s] wh...

This content is now available in the Pluralsight course "Secure Account Management Fundamentals" [http://www.pluralsight.com/courses/secure-account-management-fundamentals] Recently I’ve had a couple of opportunities to think again about how a secure password reset function should operate, firstly whilst building this functionality into ASafaWeb [https://asafaweb.com/] and secondly when giving some direction for someone else doing a similar thing. In that second instance, I wanted to point them...