Barry Frost

This is Barry Frost’s personal website.

Tagged #security


This is a opinionated blacklist of words that you might not like to see used as usernames in your service.

e.g. “admin” or “help”.

Liked Jeff Waugh‘s post on Twitter
Good time for a reminder: Your fingerprint is your user name, *not* your password.

Let them paste passwords

Advice from the National Cyber Security Centre (terrible name, good advice) that stopping pasting passwords is a bad thing and does nothing for security.

Reposted Alastair Campbell‘s post on Twitter
The UK’s digital security centre recommends *against* forced password expiry, at last someone has said it.…


Secure random number generation for Ruby using system RNG facilities

Security Guide for Developers

JSON Web Tokens (JWT) vs Sessions is a handy site for testing whether your website’s server is sending sensible headers. Think of it like SSL Test for a few nitty-gritty details.


PAN / Credit Card Scanner

Password guidance: executive summary - GOV.UK

In reply to post on
Since getting into #indieweb stuff, I’ve seen way more sites go down because of an expired HTTPS cert than expired domain registration.

Thanks for the reminder. My single-domain certificate was about to expire so I’ve upgraded to a new Comodo wildcard one ready for some secure subdomain projects. It would be great if this auto-renewed but I think I need to manually renew it unfortunately.

Signing in to Medium by email

Medium have adopted the passwordless login pattern: they will send you a one-time expiring link via email instead of requiring a password. Twitter and Facebook authentication remains and an SMS option is apparently in development.

Showing Passwords on Log-In Screens

Why you should do so (by @lukew)

How to Deploy HTTPS Correctly

Moving the web to HTTPS (and other global geo-political crises)


PCI and security scans

How the Guardian uses GitHub to audit GitHub

Uses a bot to find users within an org without 2FA, a full name and someone responsible for them.

Best nginx configuration for security


Checks for (weak) SHA-1 certificates

Setting up SSL with nginx

“(using a NameCheap EssentialSSL wildcard certificate on DigitalOcean)”