Barry Frost

This is Barry Frost’s personal website.

Tagged #security

DNSdumpster is a FREE domain research tool that can discover hosts related to a domain. Finding visible hosts from the attackers perspective is an important part of the security assessment process.

Building account systems

Advice on dealing with accounts and passwords when building a web app

^Lift Security

Application Security / Penetration Testing – used by Panic to audit its Panic Sync service


590+ usernames in this dictionary! A list of reserved usernames to prevent url collision with resource paths. This repository hosts the list in multiple formats like JSON, CSV, SQL and plain text. You can use its just download its by wget.

Reposted gRegor Morrill gRegor Morrill’s post on Twitter
Today is a good day to review your permissions on various silos. Handy links on


This is a collection of thoughts on securing a modern Apple Mac computer using macOS (formerly OS X) 10.12 “Sierra”, as well as steps to improving online privacy.

Moving to HTTPS

Guide to how to move your site from HTTP to HTTPS

Liked Pinboard Pinboard’s post on Twitter
In which Teen Vogue tears the Guardian a new one through the simple trick of interviewing actual security experts:


This is a opinionated blacklist of words that you might not like to see used as usernames in your service.

e.g. “admin” or “help”.

Liked Jeff Waugh Jeff Waugh’s post on Twitter
Good time for a reminder: Your fingerprint is your user name, *not* your password.

Let them paste passwords

Advice from the National Cyber Security Centre (terrible name, good advice) that stopping pasting passwords is a bad thing and does nothing for security.

Reposted Alastair Campbell Alastair Campbell’s post on Twitter
The UK’s digital security centre recommends *against* forced password expiry, at last someone has said it.…


Secure random number generation for Ruby using system RNG facilities

Security Guide for Developers

JSON Web Tokens (JWT) vs Sessions is a handy site for testing whether your website’s server is sending sensible headers. Think of it like SSL Test for a few nitty-gritty details.


PAN / Credit Card Scanner

Password guidance: executive summary - GOV.UK

In reply to post on
Since getting into #indieweb stuff, I’ve seen way more sites go down because of an expired HTTPS cert than expired domain registration.

Thanks for the reminder. My single-domain certificate was about to expire so I’ve upgraded to a new Comodo wildcard one ready for some secure subdomain projects. It would be great if this auto-renewed but I think I need to manually renew it unfortunately.

Signing in to Medium by email

Medium have adopted the passwordless login pattern: they will send you a one-time expiring link via email instead of requiring a password. Twitter and Facebook authentication remains and an SMS option is apparently in development.