Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
My friend easily finding my password,using firebug..i.e when i am in login page ,my friend using inspect element to find the password element and he changes the type="password" to type="text",now its shows the password...how to avoid this????
Obviously your friend can only do this if he can get to your PC while it's got the page loaded and mess around in Firebug. And then, since all he's done is make the password characters visible, to find out what your password is he has to stand over your shoulder to watch you type it.
This sounds more like a prank than a serious hack attempt. There are much worse ways to get hacked than that, especially if someone has direct access to your PC while you're logged in.
If you're writing a web site, and you're really worried about this sort of thing, there are steps you can take to prevent it.
For example, instead of asking the user to enter their whole password, you could give them a set of text boxes and ask them to enter just a few random characters from their password -- eg you could ask them to enter the first, fourth and eighth characters. This means that even if someone was watching what they typed, they'd only find out part of the password, which would be useless to them next time when the site asked for a different set of characters.
There are, of course, flaws in this scheme too, and it's a lot more of a hassle for the user, but it is considered more secure.
But typically it's only banking sites and the like that go to this sort of length to protect passwords. Most normal sites don't need this sort of level of security.
The best solution is to .. not store your passwords in your browser.
Related
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 7 years ago.
Improve this question
Social media sign in has become popular to use on websites, but what negatives are there with its use?
Does integration add trackers to your site?
Does it slow overall performance?
Are some social media logins better than others?
I haven't found much info on this online, and all the data I've seen is on conversions and marketing. I'd love to hear facts from the development side.
Edit: I'm feeling confused by the downvotes. How is my question bad or irrelevant? Social sharing buttons were all the rage but most people agree now that it isn't worth it, even though it seemed at first to have great results; and from the development side, it slowed page loading and added trackers to our sites.
The companies most excited about the buttons before, as I recall, were companies selling ways to add a ton of those buttons to your site; and most of the advocates I see now are similarly marketing products that allow you to add a ton of buttons. I'm asking what login does from an angle other than popular marketing.
Using OpenID for login is great because you don't have to remember many different logins, and even though there are some minor problems, I don't think you shouldn't use it (I'll use Facebook as an example here):
The user has to trust you. Maybe you want read access, so you could read what you wrote on Facebook. You could use the data for marketing, even if you just get his ID.
The user (and you) has to trust Facebook. They know on which page the user is logged on (you got a shop for dog food? the user will get ads for dog food as soon as he logs in!), and they could even log in as the user himself - theoretically, of course.
You are missing information like mail address and other things. There are workarounds, and they are working.
Don't ever (!) use only OpenID login or something similar (exception: you need to actually do things with the data you get - e.g. twitter bots)! You're forcing users to sign up for a social network they don't want. YouTube did this, and it wasn't very successful (except for the fact that there are "millions" of G+ users... Yeah.)
Except for that, I don't see anything wrong with OpenID login. Many big pages use it, and as long as the user has the possibility to log in conventionally, why shouldn't you use it?
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
This is not a programming question but I have no idea why I did it.
Yesterday, I was going through a tutorial about ethical hacking and found a tutorial about SQL injection. It says, find an admin login.asp site and enter as follows:
Admin: Admin
Password: ' or '1'='1
I really don't know what is that and how it works. But, when I tried the same for a website, I was shocked by the result. It gave me a warning like "... your IP address ip xxx.xxx.xxx.xxx and you may be prosecuted for this action ... etc" I was really scared by the warning. I had no intention to do anything, I was just following the tutorial.
Can anyone tell me what will happen to me? I am really worried about this.
To sum up what happened:
You attempted to inject SQL through whatever method you tried.
Their website was smart enough to recognize your input.
They generated an automated threat and sent it back to your browser.
I doubt you have to be worried. Their website most likely gets these kinds of attacks quite often and the amount of money they need to spend to prosecute is pretty great and that is only IF it is considered illegal in your region.
You should send them an email where you describe that you wanted to study techniques to avoid SQL injection attacks on your side. You should apologize and I'm sure there will be no problems.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
Theoretical question here:
How do people feel about the restrictions that registration forms have for users' passwords? Meaning, is it wise to make a condition that the user must have a capital letter, a number and a special character? I recognize that those conditions usually would require users to make a more secure password, but would that be annoying to a majority of users (it annoys me that a website assumes I do not have the capacity to create a secure password)? Any opinions one way or the other?
Yes, pretty much. You should also make a JS script to check for the password strength while user is typing it in. Just to inform the user and not let him submit it before a certain strength level is reached.
I would recommend some sort of password requirement to ensure basic security. However, making the requirements too stringent will hurt usability and, if they're encountering a rule they're not familiar with, could force them to create a new password which they could later forget. My advice would be to look over the requirements for popular websites such as Google, Facebook, etc. to get an idea of common requirements. If they've already encountered whatever requirements your website uses, they're less likely to get upset and can reuse memorized passwords.
Note: I know password reuse is a bad idea, but the majority of internet users don't want to memorize a new password for each site they create an account for, and it's therefore best from a usability perspective to allow them to do so.
You should also be careful about what characters you are going to allow in the password. Some secure input controls only allow ascii.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
How can I prove that images were stolen from a website?
Is there any way to check from when an another website have the same images? I have no any access to the server.
Thanks for any idea!
UPDATE:
No, I'm not the one who forgot watermark. An old client of mine just found me with this question. Actually found Google cached page which we can use, but still interested if any other solution is exist. Like any image format contains any date attribute in it?
If you're using a Unix-based operating system, you might have access to cURL. Try running
curl --remote-time --remote-name http://url-to-your-image/
and see if you get a timestamp that is different from the exact time you downloaded the file. Not all servers respond with the time, but it might be worth an attempt.
But generally, if it's your original work, then you should have a copy of the image with higher resolution and/or lower compression rate, right? That should be enough to prove which of the images is the stolen one. Intellectual property rights on the Internet is a mess, though, for several reasons. But even if you can't take legal actions, you might have better luck convincing an administrator to remove the content.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 10 years ago.
Improve this question
Before I go crazy and try to script a way to lock folks out of their accounts on multiple failed attempts, is a captcha ideal? I've seen several sites that do this, but wasn't sure how effective it would be. Granted, if a human is indeed trying to "hack" into someone else's account, I would think blocking access for a few minnutes would be much better than having them input some random obscure characters.
CAPTCHAs are a common solution. They're rarely ideal.
One suggestion: Offer x chances (say 3) at which point you lock the account and then require some sort of email validation to unlock.
Otherwise, I think giving 1 or 2 freebie chances is fine and then switching over to a CAPTCHA'd login is acceptable.
If you aren't having spambot problems, CAPTCHA's are rarely a good solution. They are just annoying. I agree with DA's email verification idea.