Best Browser Extensions to Block Ads

All publishers need to run ads to keep the lights on. Nothing in this world comes for free and it applies to websites on internet as well. Most of the websites earn money by showing advertisements to the end user. For some, it is the only source of income to keep the website up and running. But sometimes it can go too far. Intrusive and irrelevant ads, irritating users struggling to focus on the things they were supposed to be doing in the first place. Then there is also the question of privacy. Some sites are very intrusive and tend to insert ads in every we page. They term it as cost of their services. Their is also another downside to this. Opera CTO Bruce Lawson recently quoted a report to say that over 50 percent of all Internet traffic is just ads. That means that half of the limited FUP of users is probably wasted on advertisements. This also indirectly means that we pages will load significantly faster if ads are blocked and not allowed to load in the first place.

If you want to take control of this and also save bandwidth then you’ve probably thought about installing an ad-blocker. If you’re wondering about how to block ads on the Internet, the best option is to just install an ad-blocker on your browser. For the sake of this blog, I will be talking about ad-blockers for Google Chrome since it is the one I currently use as primary. The options and steps are pretty simple and pretty similar even for other browsers such as Safari, Firefox or Opera.

Here are the ad block extensions for Chrome that I liked, and why I liked them.

1. AdBlock Plus

One of the best known ad blockers on the market is AdBlock Plus or ABP. It’s available on most browsers and has its own Android app as well. It is an install-and-forget app extension. ABP does allow some ads through – the advertisers have to meet some requirements to be ‘non-intrusive’ but it can be changed this in the settings. ABP also blocks video ads in YouTube, and all noisy ads, and it can be set it to block tracking, malware, and social media buttons.

abp before after abplus

 

2. AdBlock

Both AdBlock, and then AdBlock Plus, came up as two separate adblockers for Firefox. When Chrome came along, AdBlock was launched for Chrome by another developer, before the AdBlock Plus team started to support the browser. And so, despite not being connected, the two most popular ad blockers ended up with similar names. AdBlock works a lot like AdBlock plus. Install, leave the defaults on and just get browsing. With AdBlock, malware protection is on from the start. It can also be disabled on individual pages, not just sites, and all the resources it is blocking is also visible in real time to the user. It also allows to whitelist specific sites.

adblock Adblock

 

3. Ghostery

Perhaps the most comprehensive tracker blocker available, Ghostery has a slightly involved setup process. Once it is added in the browser, a setup page will open and it will list all the different types of trackers that it can watch out for, and giving the option of choosing which ones to block specifically. Most users will typically opt to block all, but do note that this can also disrupt some site functionality, such as chat assistance on sites, or comments sections. Ghostery is extremely popular, not just for the blocking, but also the analytics it does – at any time, information such as how many trackers are present on the site and info on what these trackers actually do.

ghostery tracker data ghostery

 

4. Privacy Badger

Created by the Electronic Frontier Foundation (EFF), a non-profit digital rights group based in the US, Privacy Badger isn’t exactly an ad-blocker. Instead, it focuses on disallowing any visible or invisible third party scripts that can track you over the Internet. As it happens, most of these trackers are used for advertisements. This means that Privacy Badger does not block ads that are not otherwise harmful or tracking you. As a result, some ads will still show up. But at least it lets users know that what companies are spying on them through ads.

privacy badger badger

 

5. uBlock Origin

uBlock Origin has received praise from technology websites, and is reported to be much less memory-intensive than other extensions with similar functionality. uBlock Origin’s stated purpose is to give users the means to enforce their own (content-filtering) choices. It can also read and create filters from hosts files. Also, be aware that selecting some of these extra lists may lead to higher likelihood of web site breakage — especially those lists which are normally used as hosts file.

2016-11-3011-54-43

 

6. uBlock Origin
uBlock Origin has received praise from technology websites, and is reported to be much less memory-intensive than other extensions with similar functionality. uBlock Origin’s stated purpose is to give users the means to enforce their own (content-filtering) choices. It can also read and create filters from hosts files. Also, be aware that selecting some of these extra lists may lead to higher likelihood of web site breakage — especially those lists which are normally used as hosts file.

2016-11-3011-54-43

 

Personally, I use last three on chrome browser. I have tried all of them and felt that last three are the most efficient at both blocking ads as well as on the system resources. There are some rare occasions where the trio breaks the website but that’s the price I pay for uncluttered browsing experience. And I am happy with it. Here is the screenshot at the time of writing this blog where trio blocks more than 60 ads and other unnecessary stuff even from WordPress site itself!!!

2017-04-25 16_25_54-Edit Post ‹ Tech Overloaded — WordPress.com

 

Pass it on and let others know too.  Thanks.

 

 

DuckDuckGo features that stand out

Search engines have evolved to make it easier to find the information you need without having to go through different websites. Google has the Knowledge Graph feature that shows a neat box with useful information above (or beside) search results. It can do cool things such as calculations, show flight information and even currency conversion.

Although these features are incredibly useful, Google Knowledge Graph has its shortcomings. The biggest problem is that results are not uniform. When we were digging through Knowledge Graph features to find cool things you didn’t know you could do with Google, we noticed that the results were not always the same. When one person searched for Apple stocks, Google showed him regular search results, but when a colleague searched for the same term, he was shown current stock information along with a nice price versus time graph.

These limitations made us look for alternatives and we found one that impressed us with its utility – DuckDuckGo. We’ve previously mentioned DuckDuckGo, a privacy-focussed search engine, in an article on how to stop Google from tracking you. DuckDuckGo is a search engine that shows the same results for a search term to all its users. This is unlike Google, which filters search results based on the sites you have been visiting. It is also now possible to set DuckDuckGo as a default search engine in iOS 8 as well as OS X so you can get the instant search results just by typing your query into the Safari browser. Of course you can also use DuckDuckGo in Chrome or Firefox by visiting DuckDuckGo.com and clicking the Use in Chrome or Use in Firefox button.

Because it doesn’t try to personalise results, DuckDuckGo’s instant answers work for everyone and it has a great community of developers and users that are constantly adding new sources for answers. After using DuckDuckGo as our primary search engine for quite some time, we found that its instant answers are often as good as or better than Google’s Knowledge Graph. Here are 12 amazing things DuckDuckGo can do that Google can’t.

1. Social media bio
DuckDuckGo lets you see the social media profiles of people without leaving the search engine. So, search for @ndtvgadgets and you can see full the profile information on the same page. The same thing works for Google+ and Gravatar as well. To look up a Twitter bio, you need to search for the handle. For Google+, type G+ and then the name of the user. For Gravatar, just type Gravatar, and then the username you want to look up.

Another cool feature that is related is letting you search inside other sites. With Google, you can use the site: modifier to search for results within a particular site, but then you still have to open the link to see the results. With DuckDuckGo, you can use the site’s own search functions.

For example, if you want to search for someone’s details on LinkedIn, you don’t need to open the site. Just type “!linkedin” followed by the person’s name, and you will see the LinkedIn search results page. You can do this with a large number of websites; !g lets you search with Google, !a is Amazon, !r is Reddit, just to name a few. You can see the full list by just typing ! in the DuckDuckGo search bar.

duckduckgo_twitter_bio.jpg

2. App store search, alternatives to apps
Search for any popular app on DuckDuckGo and you will find that it shows a carousel full of apps with similar names. Just search for NDTV Gadgets app to see what we mean. Clicking on any one of the cards on the carousel will show you the price of the app, a description and links to the store. We found that this feature doesn’t work with very obscure apps, but it can find most of the well-known ones.

Another useful feature shows alternatives to apps in a neat carousel. Tired of MS Office? Just search for “Alternative to Word” and see the results for yourself. It also works for Web services, so you can even search for “Alternative to DuckDuckGo“, if you like.

duckduckgo_alternativeto_1.jpg

3. Shorten and expand links
Want to find out which websites are at the end of shortened links such as http://bit.ly/1tYrmaB ? Open DuckDuckGo and search “expand http://bit.ly/1tYrmaB“. Also, if you want to shorten long URLs, enter “shorten http://gadgets.ndtv.com/mobiles/news/android-browser-security-hole-affects-millions-of-users-says-expert-592578” to get a URL shortened using is.gd.

duckduckgo_expand.jpg

4. Generate passwords
Can’t think of a strong password? Just head to DuckDuckGo and search for “Password 20”. You’ll see a strong 20-character password. You can replace the number to change the number of characters in the password. If you find those random passwords hard to remember, you can make DuckDuckGo generate XKCD-style passwords. These passwords comprise four common words put together, which are easy to remember and hard to crack, and were first suggested in the popular Web comic XKCD. For these passwords, search “Random passphrase”.

duckduckgo_passphrase.jpg

5. Quick stopwatch
Both Google and DuckDuckGo let you create a quick timer (search for “timer”) but DuckDuckGo also has a stopwatch. Simply search for “stopwatch” to use it.

duckduckgo_stopwatch.jpg

6. Change case and check number of characters
Want to change a sentence to Title Case, lowercase or UPPERCASE? Just add one of those three terms before your sentence and key it in on DuckDuckGo. For example, “Uppercase ndtv gadgets” leads to “NDTV GADGETS”.

Another interesting feature is the number of characters. You can quickly check how many characters are in your search query by adding “chars” before or after the query. Try searching for “chars I really like this article” without the quotes and see the results.

duckduckgo_titlecase_1.jpg

7. Checks whether websites are down
If you can’t open a website, you might want to check if it is not opening anywhere or just on your computer. You can use websites such as isup.me to check this or you can simply search DuckDuckGo with the keywords like, “Is gadgets.ndtv.com down for me“.

duckduckgo_isitdown.jpg

8. Does mime rhyme with time
You read that right. DuckDuckGo also has an instant answer that finds rhyming words. Search “rhymes with ndtv” or any other word you can think of. You’ll see an instant answer with rhyming words, from RhymeBrain.

duckduckgo_rhyme.jpg

9. Calendar
Google and DuckDuckGo can show you the current date and time. But DuckDuckGo goes one step further by supporting calendar as an instant answer. Search “calendar” to see one, with the current date highlighted. It can also show you the calendar for any month and year. Try searching for “calendar january 1899“.

duckduckgo_calendar.jpg

10. Loan calculator
Another useful DuckDuckGo instant answer is a loan calculator. It’s useful if you want to see how much your monthly installments will be and how much interest you’ll be paying in total. The search query for this is a little hard to remember, like the terms and conditions for most loan agreements. It is “loan AMOUNT at INTEREST with PERCENT down for DURATION”. All the uppercase words are what you need to key in – total amount, interest rate, down payment percentage and the duration of the loan. We tried “loan Rs 50,00,000 at 4.5% with 25% down for 15 years” to get the answer in the picture below.

duckduckgo_loan.jpg

11. Cool features for developers
There are several instant answers that will be useful to software developers, but might be less important for the general public. Here’s a quick list of what DuckDuckGo can do:

duckduckgo_html.jpg

12. Add instant answers to other search engines
If you like all these instant answers but don’t want to leave your favourite search engine, just download the DuckDuckGo extension on Chrome, Safari or Firefox. Now whenever you search, you’ll see DuckDuckGo’s instant answers above search results in any search engine.

Bonus
There are several other instant answers on DuckDuckGo that are quite cool, but not very useful. That’s why these are included as a bonus in this article. Here’s a quick list of some of the best we could find.

duckduckgo_ascii.jpg

 

Pass it on and let others know too.  Thanks.

 

Original post here.

Introduction to Algorithms

I was recently searching for a good website for studying Algorithms. After going through various websites, I stumbled upon this educative.io course.

I was immediately hooked upon seeing the quality of the study material and that how easy it is for anyone to start learning. Course material are very visual with lots of explanations, pictures and demos.

It is divided into sub sections as follows –

 

 

 

 

 

 

 

 

 

 

 

Website – https://www.educative.io

 

And no, this post is not sponsored or anything. As I found it useful for myself and so I have shared. Pass it on and help others learn if you have too.

 

 

Writing Clear Code – Java Style

The overarching goal when writing code is to make it easy to read and to understand. Well-written programs are easier to debug, easier to maintain, and have fewer errors. Writing a program is a lot like writing an essay. When writing an essay, your message is more convincing when it is accompanied by proper grammar and punctuation. When writing computer programs, you should follow the same principle. It is even more important when programming since someone may be assigned to maintain and support your code for long periods of time. You will appreciate the importance of good style when it is your task to understand and maintain someone else’s code!

Coding.

  • Keep programs and methods short and manageable.
  • Use language-specific idioms.
  • Use straightforward logic and flow-of-control.
  • Avoid magic numbers (numbers other than −1, 0, 1, and 2); instead, give them meaningful symbolic names.

Naming conventions.

Here are some general principles when choosing names for your variables, methods, and classes.

  • Use meaningful names that convey the purpose of the variable. Choose names that are easy to pronounce, and avoid cryptic abbreviations. For example, use wagePerHour or hourlyWage instead of wph. Use polygon instead of p or poly or pgon.
  • Be consistent.
  • Name boolean variables and methods so that their meaning is unambiguous, e.g., isPrime or isEmpty() or contains().
  • Use shorter names (e.g., i) for short-lived variables and loop-index variables. Use more descriptive names for variables that serve an important purpose.
  • Avoid generic names like foo or tmp and meaningless names like fred. Use terminology from the application domain when possible.
  • Name a constant by its meaning, not its value, e.g., name your variable DAYS_PER_WEEK instead of SEVEN.
IDENTIFIER NAMING RULES EXAMPLE
Variables A short, but meaningful, name that communicates to the casual observer what the variable represents, rather than how it is used. Begin with a lowercase letter and use camel case (mixed case, starting with lower case). mass
hourlyWage
isPrime
Constant Use all capital letters and separate internal words with the underscore character. BOLTZMANN
MAX_HEIGHT
Class A noun that communicates what the class represents. Begin with an uppercase letter and use camel case for internal words. class Complex
class Charge
class PhoneNumber
Method A verb that communicates what the method does. Begin with a lowercase letter and use camelCase for internal words. move()
draw()
enqueue()

Commenting.

Programmers use comments to annotate a program and help the reader (or grader) understand how and why your program works. As a general rule, the code explains to the computer and programmer what is being done; the comments explain to the programmer why it is being done. Comments can appear anywhere within a program where whitespace is allowed. The Java compiler ignores comments.

  • Line comments. An end-of-line comment begins with // (two forward slashes) and ends at the end of the line on which the forward slashes appear. Any text from the // to the end of the line is ignored.
  • Block comments. A block comment begins with /* (a forward slash and asterisk) and ends with */ (asterisk and a forward slash). Any text between these delimiters (even if it spans multiple lines) is ignored.
  • Bold comments. A bold comment is a special case of a block comment designed to draw attention.
    /*---------------------------------------------------------
     *  Here is a block comment that draws attention
     *  to itself.
     *---------------------------------------------------------*/
    
  • Javadoc comments. A Javadoc comment is a special case of a block comment that begins with /** (a forward slash and two asterisks). They are typically used to automatically generate the API for a class. Here are guidelines for writing Javadoc comments.

There is no widely agreed upon set of rules. Good programmers write code that documents itself.

  • Make sure that comments agree with the code. Be careful to update the comments when you update the code.
  • Do not write comments that merely restate the code. Generally, comments should describe what or why you are doing something, rather than how.
    i++;      //  increment i by one
    
  • Comment any potentially confusing code, or better yet, rewrite the code so that it isn’t confusing.
  • Include a bold comment at the beginning of each file with your name, date, the purpose of the program, and how to execute it.
    /*----------------------------------------------------------------
     *  Author:        Kevin Wayne
     *  Written:       5/3/1997
     *  Last updated:  8/7/2006
     *
     *  Compilation:   javac HelloWorld.java
     *  Execution:     java HelloWorld
     *  
     *  Prints "Hello, World". By tradition, this is everyone's
     *  first program.
     *
     *  % java HelloWorld
     *  Hello, World
     *
     *----------------------------------------------------------------*/
    
  • Comment every important variable name (including all instance variables) with a // comment, and align the comments vertically.
    private double rx, ry;    //  position
    private double q;         //  charge
    
  • Comment each method with a description of what it does. Include what it takes as input, what it returns as output, and any side effects. Use the parameters names in your description.
    /**
     *   Rearranges the elements in the array a[] in random order
     *   using Knuth's shuffling algorithm.
     *
     *   Throws a NullPointerException if a is null.
     */
    public static void shuffle(String[] a)
    

Whitespace.

Programmers use whitespace in their code to make it easier to read.

  • Don’t put more than one statement on a line.
  • Use blank lines to separate your code into logical sections.
  • Put a space between all binary operators (e.g., <=, =, +) and their operands. One possible exception is to emphasize precedence.
    a*x + b
    
  • Include a space between a keyword (e.g., while, for, if) and its opening parenthesis.
  • Put a space after each statement in a for loop.
    for(int i=0;i<n;i++)    vs.      for (int i = 0; i < n; i++)
    
  • Put a space after each comma in an argument list.
  • Put space after each comment delimiter.
        //This comment has no space           //  This comment has two 
        //after the delimiter and is          //  spaces after the delimiter
        //difficult to read.                  //  and is easier to read.
    
  • Do not put spaces before a semicolon.
  • Do not put spaces between an object name, the . separator, and a method name.
  • Do not put spaces between a method name and its left parenthesis.
  • Include blank lines to improve readability by grouping blocks of related code.
  • Use spaces to align parallel code whenever it enhances readability.
    int n      = Integer.parseInt(args[0]);      //  size of population
    int trials = Integer.parseInt(args[1]);      //  number of trials
    

Indenting.

Programmers format and indent their code to reveal structure, much like an outline.

  • Avoid lines longer than 80 characters.
  • Do not put more than one statement on a line.
  • Indent a fixed number of spaces. We recommend 3 or 4.
  • Always use spaces instead of tabs. Modern IDEs (including DrJava) insert spaces when you type the tab key – these are known as soft tabs. Hard tabs are obsolete: in ancient times, they were used for data compression.
  • Use a new indentation level for every level of nesting in your program.
  • Follow either the K&R or BSD/Allman indentation styles for curly braces, and use it consistently. We consistently use the former for the booksite and the latter in the textbook.
    //  K&R style indenting                   
    public static void  main(String[] args) {
        System.out.println("Hello, World");
    }
    
    //  BSD-Allman style indenting
    public static void main(String[] args)
    {
        System.out.println("Hello, World");
    }
    

 

Content picked up from this site.

Beware of this new phishing attack

A Chinese information security researcher has reported about an “almost impossible to detect” phishing attack that can be used to trick even the most careful users on the Internet.

He warned, hackers can use a known vulnerability in the Chrome, Firefox and Opera web browsers to display their fake domain names as the websites of legitimate services, like Apple, Google, or Amazon to steal login or financial credentials and other sensitive information from users.

What is the best defence against phishing attack? Generally, checking the address bar after the page has loaded and if it is being served over a valid HTTPS connection. Right?

Okay, then before going to the in-depth details, first have a look at this demo web page (note: you may experience downtime due to high traffic on demo server), set up by Chinese security researcher Xudong Zheng, who discovered the attack.

It becomes impossible to identify the site as fraudulent without carefully inspecting the site’s URL or SSL certificate.” Xudong Zheng said in a blog post.

If your web browser is displaying “apple.com” in the address bar secured with SSL, but the content on the page is coming from another server (as shown in the above picture), then your browser is vulnerable to the homograph attack.

There is another proof-of-concept website created by security experts from Wordfence to demonstrate this browsers’ vulnerability. It spoof “epic.com” domain.

Homograph attack has been known since 2001, but browser vendors have struggled to fix the problem. It’s a kind of spoofing attack where a website address looks legitimate but is not because a character or characters have been replaced deceptively with Unicode characters.

Many Unicode characters, which represents alphabets like Greek, Cyrillic, and Armenian in internationalized domain names, look the same as Latin letters to the casual eye but are treated differently by computers with the completely different web address.

For example, Cyrillic “а” (U+0430) and Latin “a” (U+0041) both are treated different by browsers but are displayed “a” in the browser address.

Punycode Phishing Attacks

unicode-phishing-attack

By default, many web browsers use ‘Punycode’ encoding to represent unicode characters in the URL to defend against Homograph phishing attacks. Punycode is a special encoding used by the web browser to convert unicode characters to the limited character set of ASCII (A-Z, 0-9), supported by International Domain Names (IDNs) system.

For example, the Chinese domain “短.co” is represented in Punycode as “xn--s7y.co“.

According to Zheng, the loophole relies on the fact that if someone chooses all characters for a domain name from a single foreign language character set, resembling exactly same as the targeted domain, then browsers will render it in the same language, instead of Punycode format.

This loophole allowed the researcher to register a domain name xn--80ak6aa92e.com and bypass protection, which appears as “apple.com” by all vulnerable web browsers, including Chrome, Firefox, and Opera, though Internet Explorer, Microsoft Edge, Apple Safari, Brave, and Vivaldi are not vulnerable.Here, xn-- prefix is known as an ‘ASCII compatible encoding’ prefix, which indicates web browser that the domain uses ‘punycode’ encoding to represent Unicode characters, and Because Zheng uses the Cyrillic “а” (U+0430) rather than the ASCII “a” (U+0041), the defence approach implemented by web browser fails.

Zheng has reported this issue to the affected browser vendors, including Google and Mozilla in January.

Punycode Phishing Attacks
Fake Page (top) and Original Apple.com (bottom), but exactly same URL

While Mozilla is currently still discussing a fix, Google has already patched the vulnerability in its experimental Chrome Canary 59 and will come up with a permanent fix with the release of Chrome Stable 58, set to be launched later this month.

Meanwhile, millions of Internet users who are at risk of this sophisticated hard-to-detect phishing attack are recommended to disable Punycode support in their web browsers in order to temporarily mitigate this attack and identify such phishing domains.

How to Prevent Against Homograph Phishing Attacks

Firefox users can follow below-mentioned steps to manually apply temporarily mitigation:

  1. Type about:config in address bar and press enter.
  2. Type Punycode in the search bar.
  3. Browser settings will show parameter titled: network.IDN_show_punycode, double-click or right-click and select Toggle to change the value from false to True.

Unfortunately, there is no similar setting available in Chrome or Opera to disable Punycode URL conversions manually, so Chrome users have to wait for next few weeks to get patched Stable 58 release.

Although, there are some third-party Chrome extensions/add-ons available on App Store that users can install to get alerts every time they came across any website with Unicode characters in the domain.

Meanwhile, one of the best ways to protect yourself from homograph attacks is to use a good password manager that comes with browser extensions, which automatically enter in your login credentials for the actual domains to which they are linked.

So, whenever you came across any domain which looks like legitimate “apple.com” or “amazon.com” but actually is not, your password manager software will detect it and will not automatically authenticate you to that phishing site.

Moreover, Internet users are always advised to manually type website URLs in the address bar for important sites like Gmail, Facebook, Twitter, Yahoo or banking websites, instead of clicking any link mentioned on some website or email, to prevent against such attacks.

A simple way to limit the damage from bugs such as this is to always use a password manager. In general, users must be very careful and pay attention to the URL when entering personal information. Until this is fixed, concerned users should manually type the URL as stated above or navigate to sites via a reputed search engine when in doubt. This is a serious vulnerability because it can even fool those who are extremely mindful of phishing.
Pass this post on and let others know about this too.  It may save someone from falling prey unknowingly to an hacker.
Content for this blog post was sourced from this post and this is researcher’s original blog post.

How are passwords stored?

Have you ever wondered how do websites store passwords?

Why can’t a Facebook or a Google employee copy your password and regain access to your account? Or why some websites tell you to set a new password, instead of sending you your forgotten password whenever you click ‘Forgot your password?’.

It’s because most websites nowadays don’t save passwords in plain text, instead save its algorithmic computed hash. Whenever you log in with a password, it is hashed and then compare the resultant hash with the one in the database. That means any attacker that gets to their database will only see the hash of your password, not the real one.

Rule-of-thumb: if you forget your password and the website sends it back to you in plain text, then that’s how they store it. You should make sure you’re not using that password anywhere else and also never to use that site again.

But what is a hash?

A hash is the output of a one-way function that takes an input and maps it to a fixed-length string that works as a unique signature for the given input and is ideally never produced with any other input (Wikepedia). The important properties of a hash function are that it is –

  1. Deterministic (same input gives the same hash every time)
  2. Practically impossible to generate the same hash from two different inputs
  3. It is impossible to get the input from the hash unless you try every possible input.
  4. Any change to the input, however small, would make the resulting hash unrecognizable from the original input’s hash. Examples of a hash function include MD5 (broken), SHA-1 (not recommended) and SHA-3 (recommended standard).

 

hashing-11-638

 

During verification –

hashing-12-638

Unfortunately, many people can use the same passwords, and because hash functions are deterministic, it means that the hashes of those passwords would be the same. That means if a passwords database were compromised, and you know the password of one user, you could also gain access to whoever has the same password (because the hashes are the same).

 

Enter salts

Salts are random data that are unique to each user, which are added to the user’s password before hashing it. Because of the 4th property of a good hash, the new hash is unrecognizable from the old one, thus even if user X and Y use the same password because X and Y have different, unique salts, the hash of each user’s password would look completely different. A salt can be publicly stored in plain text, as it’s just random data that doesn’t provide any insight on the user’s password.

Below image will help in understanding further –

Hash-plus-Salt

In simpler terms –

Salting

 

Pass it on and help others learn if you have too.  Thanks.

 

This was sourced from this original post. If you are a developer and further interested in securing passwords, this thread on stack exchange is for you to further read.

Browser setting to turn off right now

Modern day browser’s have a very useful feature in-built which is the auto-fill. It can assist a user by automatically filling in forms and other important fields without user needing to manually enter the data each time. It is a one time process thereby after which browser can pre-fill the stored user data onto the form each time user visits a site requiring a form fill-up, sign-up process or finishing online purchases by entering credit card and other crucial details.

It is a very useful feature indeed but with a very serious security problem. As demonstrated by a Finnish developer Viljami Kuosmanen, users can easily fall into hacker’s trap if they use autocomplete feature on unknown websites. Scammers have found a sneaky way to retrieve the stored information using autocomplete feature.

Scammers could simply add additional “hidden” boxes to the page, and trick people into giving away more info than they intended to. Users think they’re just entering their name and email address, but “hidden” text boxes are automatically filled in with more sensitive data like address, phone number, and credit card number.

Below is the demonstration given by Viljami as a proof of concept –

Affected browsers include big shots like Chrome, Safari, and Opera, as well as extensions like the password manager/form filler LastPass, which is perhaps an even more obvious target. So, if you’re currently using any of these, it’d be wise to head to your Preference menu and temporarily disable the auto-fill feature until a security patch is pushed out. To deactivate the feature in Chrome, go to Settings, Advanced Settings, and uncheck the boxes beneath Passwords and Forms. Stay safe folks.

Here is the image after successfully retrieving the full user info taken from the above –

browser-settings

 

 

Pass this post on and let others know about this too.  It may save someone from falling prey unknowingly to an hacker.