Group items tagged

"NIST recently published its four-volume SP800-63b Digital Identity Guidelines. Among other things, it makes three important suggestions when it comes to passwords: Stop it with the annoying password complexity rules. They make passwords harder to remember. They increase errors because artificially complex passwords are harder to type in. And they don't help that much. It's better to allow people to use pass phrases. Stop it with password expiration. That was an old idea for an old way we used computers. Today, don't make people change their passwords unless there's indication of compromise. Let people use password managers. This is how we deal with all the passwords we need."

"Per Thorsheim, Microsoft's Dr. Cormac Herley, the UK's NCSC, the Chief Technologist at FTC, I and many others are working hard to kill password expiration. Password expiration is when an organization requires their staff to change their passwords every 60, 90 or XX number of days. Password expiration is also a great example of how security professionals fail by simply repeating old myths or focusing on just mitigating risk, forgetting about the cost or impact of those mitigating controls. Here's is why password expiration must die."

"OpenAM centralizes authentication by using a variety of authentication modules. Authentication modules connect to identity repositories that store identities and provide authentication services. The identity repositories can be implemented as LDAP directories, relational databases, RADIUS, Windows authentication, one-time password services, other standards-based access management systems and much more."

"The new Docker Registry 2.0 was released on April 16th, 2015. It was completely rewritten in Go with added support for the new Docker Registry HTTP API V2 (thus only working with Docker 1.6+), promising to provide faster and more secure distribution of images. If you work with Docker and for some reason decided not to use the public Docker Hub, a private Docker Registry is an essential part of your architecture. But even if you don't have private images, you will likely need to use your own registry in production/testing for efficiency. The default installation, however, runs without encryption and authentication. I was wondering what's involved in securing it. There is an official tutorial on how to configure TLS on a registry server. TLS/SSL is absolutely necessary for any secure setup, but I also wanted to enable an authentication mechanism. The Configuration Reference document describes two authentication options supported by Docker Registry itself: so-called silly and token solutions. The silly one is apparently only useful for very limited development use-cases. The token solution seems to be more serious, but because of the lack of documentation (at the time of writing), I decided to find an alternative approach to secure it. In this article I'm going to show you how to set up the Docker Registry 2.0 with username/password authentication and SSL using the official Docker Registry image and a custom configured nginx as a proxy server."

Passport is authentication middleware for Node.js. Extremely flexible and modular, Passport can be unobtrusively dropped in to any Express-based web application. A comprehensive set of strategies support authentication using a username and password, Facebook, Twitter, and more."

"FreeIPA allows Linux administrators to centrally manage identity, authentication and access control aspects of Linux and UNIX systems by providing simple to install and use command line and web based management tools. FreeIPA is built on top of well known Open Source components and standard protocols with a very strong focus on ease of management and automation of installation and configuration tasks. FreeIPA can seamlessly integrate into an Active Directory environment via cross-realm Kerberos trust or user synchronization. Benefits FreeIPA: Allows all your users to access all the machines with the same credentials and security settings Allows users to access personal files transparently from any machine in an authenticated and secure way Uses an advanced grouping mechanism to restrict network access to services and files only to specific users Allows central management of security mechanisms like passwords, SSH Public Keys, SUDO rules, Keytabs, Access Control Rules Enables delegation of selected administrative tasks to other power users Integrates into Active Directory environments"

This article is a basic list of best practices that our Grails projects follow, gathered from mailing lists, Stack Overflow, blogs, podcasts and internal discussions at IntelliGrape.

Security is part of everyday life. We lock our doors, protect our banking information with passwords that are usually so complicated that we tend to forget them. Using common sense to secure systems is just good practice. It's really easy to assume that because a system is internal, there is no need to enable authentication ...