• 2021-11-11
  • 5 minutes

We are making authentication systems wrong

For a long time I’ve been struggling with the way authentication systems work, as they don’t protect your password as they should. If you search for login best practices, like in OWASP, they’ll tell you things like hashing the password with a strong algorithm, use salt and pepper, limit attempts, and the most important, use […]
Continue Reading
  • 2019-10-30
  • 6 minutes

Secure Password Hashing

Password Hashing 101: MD5 and SHA1 which are quite common, are already considered unsafe. So if you are using them, replace them with a secure algorithm. Even for checksums should not considered secure. Check references for more info. Now that we put that aside lets start from the basics. User passwords should always be stored […]
Continue Reading
  • 2019-07-19
  • 6 minutes

Hardcoded Passwords

Hardcoded passwords… This is a problem quite common, and most of the projects that I get my hands on have a hardcoded password somewhere. But, what’s the problem of having for example the password of the database in the code? Well, actually, a lot! Lets start by the most straightforward scenario. Hardcoded passwords, (and when […]
Continue Reading
  • 2019-06-16
  • 10 minutes

Heap Inspection

Heap Inspection is a vulnerability that most of the times developers don’t care about, since it is not easy to mitigate, and most of libraries/frameworks are not prepared to handle it. So what is Heap Inspection? Basically it’s just when you get access to a machine and get access to process memory data. Then you […]
Continue Reading