This cheat sheet advises you on the proper methods for storing passwords for authentication. When passwords are stored, they must be protected from an attacker even if the application or database is compromised. Fortunately, a majority of modern languages and frameworks provide built-in functionality to help store passwords safely.
However, once an attacker has acquired stored password hashes, they are always able to brute force hashes offline. Defenders can slow down offline attacks by selecting hash algorithms that are as resource intensive as possible.
To sum up our recommendations:
Use Argon2id with a minimum configuration of 19 MiB of memory, an iteration count of 2, and 1 degree of parallelism.
If Argon2id is not available, use scrypt with a minimum CPU/memory cost parameter of (2^17), a minimum block size of 8 (1024 bytes), and a parallelization parameter of 1.
For legacy systems using bcrypt, use a work factor of 10 or more and with a password limit of 72 bytes.
If FIPS-140 compliance is required, use PBKDF2 with a work factor of 600,000 or more and set with an internal hash function of HMAC-SHA-256.
Consider using a pepper to provide additional defense in depth (though alone, it provides no additional secure characteristics).As of May 2023, OWASP recommends the following KDFs for password hashing, listed in order of priority:
- Argon2id
- scrypt if Argon2id is unavailable
- bcrypt for legacy systems
- PBKDF2 if FIPS-140 compliance is required
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
Take potentially dangerous PDFs, office documents, or images and convert them to safe PDFs.
Metadata within a file can tell a lot about you. Cameras record data about when and where a picture was taken and which camera was used. Office applications automatically add author and company information to documents and spreadsheets. This is sensitive information and you may not want to disclose it.
Metadata Cleaner allows you to view metadata in your files and to get rid of it, as much as possible.
Python GTK application to view and clean metadata in files, using mat2 · https://metadatacleaner.romainvigier.fr/
mat2 is a metadata removal tool, supporting a wide range of commonly used file formats, written in python3: at its core, it's a library, used by an eponymous command-line interface, as well as several file manager extensions.
The goal of this document is to help operational teams with the configuration of TLS. All Mozilla websites and deployments should follow the recommendations below.
Mozilla maintains this document as a reference guide for navigating the TLS landscape, as well as a configuration generator to assist system administrators. Changes are reviewed and merged by the Mozilla Operations Security and Enterprise Information Security teams.
This document describes MASQUE (Multiplexed Application Substrate
over QUIC Encryption). MASQUE is a mechanism that allows co-locating
and obfuscating networking applications behind an HTTPS web server.
The currently prevalent use-case is to allow running a VPN server
that is indistinguishable from an HTTPS server to any unauthenticated
observer. We do not expect major providers and CDNs to deploy this
behind their main TLS certificate, as they are not willing to take
the risk of getting blocked, as shown when domain fronting was
blocked. An expected use would be for individuals to enable this
behind their personal websites via easy to configure open-source
software.
Alright @DjangoConEurope, here are my slides (), a write-up (), and t…