Passwords

In Depth

In Depth: What Actually Is MFA?

[In Depth #34] MFA, 2FA, 2SV, DFA... Something you know/have/are... Let's figure out this MFA thing and why it's so important.

Security Tips

Security Tip: Should You Limit Password Lengths?

[Tip #101] Password length limits are often a sign of a legacy backend or insecure hashing, but did you know bcrypt only hashes the first 72 characters? It raises the question, should we be limiting password lengths when using bcrypt too? 🤔

Security Tips

Security Tip: What If You Hashed Null?

[Tip #100] One of the fun parts of doing my security audits is coming across unexpected code that looks exploitable, and trying it out myself to see what possibilities exist.

In Depth

In Depth: Using CSS Clickjacking to Steal Passwords

[In Depth #26] It's time for some nightmare fuel with a sneaky inline CSS vulnerability I found in a popular Laravel package!

Security Tips

Security Tip: Laravel 11's Automatic Password Rehashing

[Tip #76] Let's check out three of the configuration options available as part of Automatic Password Rehashing: custom fields, disabling rehashing, and changing bcrypt rounds.

Security Tips

Security Tip: A Well-Known URL for Changing Passwords

[Tip#73] You may have heard of the `/.well-known/` path, and the security.txt file, but there is a new one called `change-password` you should be aware of too!

Security Tips

Security Tip: Don't Forget Your Registration Form!

[Tip#72] We talk a lot about protecting password reset and login forms, but don't forget about the humble registration form, it can provide attackers with crucial intel!

In Depth

In Depth: Adding Rehashing to Laravel

[InDepth#20] It turns out Laravel was missing an important piece of it's Authentication system: password rehashing! Let's add that in and learn how the authentication system works in the process.

Security Tips

Security Tip: Increase Your bcrypt Rounds

[Tip#58] It's time to upgrade your bcrypt rounds to 12 (or higher)!

In Depth

In Depth: "Th1nk Lik3 a H4cker" Walkthrough (part 1)

[InDepth#18] Let's take a walk through the first half of my "Th1nk Lik3 a H4cker" talk from Laracon EU & US. We'll explore the vulnerabilities behind each challenge and what I was trying to teach.

Security Tips

Security Tip: HTML autocomplete Attribute

[Tip#52] HTML has a lot of hidden gems, and the `autocomplete` attribute is no exception. Lets take a look at how it helps your password fields and password managers work together!

Security Tips

Security Tip: Laravel's Password Generator

[Tip#37] If you need to generate passwords in your app, it's important to use a cryptographically secure algorithm. Laravel makes this easy by giving us the Str::password() helper!