Barry Frost

This is Barry Frost’s personal website.

Tagged #security


This is a collection of thoughts on securing a modern Apple Mac computer using macOS (formerly OS X) 10.12 “Sierra”, as well as steps to improving online privacy.

Moving to HTTPS

Guide to how to move your site from HTTP to HTTPs

Liked Pinboard‘s post on Twitter
In which Teen Vogue tears the Guardian a new one through the simple trick of interviewing actual security experts:


This is a opinionated blacklist of words that you might not like to see used as usernames in your service.

e.g. “admin” or “help”.

Liked Jeff Waugh‘s post on Twitter
Good time for a reminder: Your fingerprint is your user name, *not* your password.

Let them paste passwords

Advice from the National Cyber Security Centre (terrible name, good advice) that stopping pasting passwords is a bad thing and does nothing for security.

Reposted Alastair Campbell‘s post on Twitter
The UK’s digital security centre recommends *against* forced password expiry, at last someone has said it.…


Secure random number generation for Ruby using system RNG facilities

Security Guide for Developers

JSON Web Tokens (JWT) vs Sessions is a handy site for testing whether your website’s server is sending sensible headers. Think of it like SSL Test for a few nitty-gritty details.


PAN / Credit Card Scanner

Password guidance: executive summary - GOV.UK

In reply to post on
Since getting into #indieweb stuff, I’ve seen way more sites go down because of an expired HTTPS cert than expired domain registration.

Thanks for the reminder. My single-domain certificate was about to expire so I’ve upgraded to a new Comodo wildcard one ready for some secure subdomain projects. It would be great if this auto-renewed but I think I need to manually renew it unfortunately.

Signing in to Medium by email

Medium have adopted the passwordless login pattern: they will send you a one-time expiring link via email instead of requiring a password. Twitter and Facebook authentication remains and an SMS option is apparently in development.

Showing Passwords on Log-In Screens

Why you should do so (by @lukew)

How to Deploy HTTPS Correctly

Moving the web to HTTPS (and other global geo-political crises)


PCI and security scans

How the Guardian uses GitHub to audit GitHub

Uses a bot to find users within an org without 2FA, a full name and someone responsible for them.