In this article, John Bielich and Khash Kiani introduce OAuth, and demonstrate one type of approach in which a malicious native client application can compromise sensitive end-user data. Earlier this year, Khash posted a paper entitled: "Four Attacks on OAuth - How to Secure Your OAuth Implementation" that introduced a common protocol flow, with specific … Continue reading Password Tracking in Malicious iOS Apps
I just ran across Jakob Nielsen's Alert Box post titled Stop Password Masking and wanted to provide some feedback from a security vs. usability perspective. I have great respect for Nielsen's contribution to the usability of the web. Back in the early days of the internet (mid 1990's), his books were gospel at my consulting … Continue reading Response to Nielsen's "Stop Password Masking"
For most websites, we don't have the source code available. As a user, we more or less trust the site is doing "the right thing", or well, we just use a throw away password that we accept to be compromised. Sometimes, it is obvious. For example the site is sending you your password in the … Continue reading How can I tell if my password is encrypted?