Barry Frost

This is Barry Frost’s personal website.

Tagged #security

The-Big-Username-Blacklist

This is a opinionated blacklist of words that you might not like to see used as usernames in your service.

e.g. “admin” or “help”.

Liked Jeff Waugh‘s post on Twitter
Good time for a reminder: Your fingerprint is your user name, *not* your password. https://twitter.com/obra/status/821529342530318337

Let them paste passwords

Advice from the National Cyber Security Centre (terrible name, good advice) that stopping pasting passwords is a bad thing and does nothing for security.

Reposted Alastair Campbell‘s post on Twitter
The UK’s digital security centre recommends *against* forced password expiry, at last someone has said it.… https://twitter.com/i/web/status/808262292521492480

sysrandom

Secure random number generation for Ruby using system RNG facilities

Security Guide for Developers

JSON Web Tokens (JWT) vs Sessions

securityheaders.io

securityheaders.io is a handy site for testing whether your website’s server is sending sensible headers. Think of it like SSL Test for a few nitty-gritty details.

CCSRCH

PAN / Credit Card Scanner

Password guidance: executive summary - GOV.UK

In reply to https://kylewm.com post on kylewm.com
Since getting into #indieweb stuff, I’ve seen way more sites go down because of an expired HTTPS cert than expired domain registration.

Thanks for the reminder. My single-domain certificate was about to expire so I’ve upgraded to a new Comodo wildcard one ready for some secure subdomain projects. It would be great if this auto-renewed but I think I need to manually renew it unfortunately.

Signing in to Medium by email

Medium have adopted the passwordless login pattern: they will send you a one-time expiring link via email instead of requiring a password. Twitter and Facebook authentication remains and an SMS option is apparently in development.

Showing Passwords on Log-In Screens

Why you should do so (by @lukew)

How to Deploy HTTPS Correctly

Moving the web to HTTPS (and other global geo-political crises)

SecurityMetrics

PCI and security scans

How the Guardian uses GitHub to audit GitHub

Uses a bot to find users within an org without 2FA, a full name and someone responsible for them.

Best nginx configuration for security

SHAAAAAAAAAAAAA

Checks for (weak) SHA-1 certificates

Setting up SSL with nginx

“(using a NameCheap EssentialSSL wildcard certificate on DigitalOcean)”