Hey everyone I want to share my personal and real-world experience about credential stuffing attacks. These are very hard to solve because fundamentally it's users fault, especially the ones with password-reuse habit. Nevertheless we responsible developers are the ones who should keep the internet safe, so feel free to chime in, evaluate my solutions and maybe we come up with "the" best practice against this type of attacks.
If there's interest I want to make this into a library and open source a django-specific solution as it's my everyday framework. The discussion applies to ALL web frameworks.
Hey everyone, I wanted to share some tips and insights about caching. I'm a firm believer caching is very important/effective but you have to be very careful and engineer-minded while designing it. It's a 7-minute read.
Some problems include serving stale objects or not having central logic to calculate cache efficiency. This part 1 is more like an introduction but I'm willing to share a very good library and middleware that will help you in 2 things. First is solving cache-related bugs, and second is measuring cache efficiency. Tune in for part 2 :)
Hi! Normally when you rotate secret key, users are logged out, which is a big inconvenience if you have millions of users and might cost your business valuable users, and this pushes companies not to rotate keys, which is not the best practice..
that's why I wanted to make this process transparent to the user, I created a library "django-rotate-secret-key" which helps you rotate your secret key and still accept sessions with the old key for limited amount of time, and I explained how to use in this medium post.
obviously this is not something you want if your key is compromised, but if you want to rotate just as a best security practice this library is for you!
what I love about this library is, once you pass that window where you accept both keys, you can delete/revert everything so there is no residue with this solution! not a single line of code you need to maintain in the future.
Thanks for seeing the value, after releasing this I got to know some services require session authentication, so without your password (or cookies) the bot cannot verify.
I think this was a nice experiment and still usable for many services.
You could let people pass the username/password in as part of the email tag, like:
guerillaemail+myusername-mypassword@gmail.com
As others have clarified, only for complete throwaway accounts obviously. I tested '-' and '!' and those characters appear acceptable as the delimiter. ':' gives a very strange error on send when using gmail.com. Also imagine you'd lose some letter casing along the way.
Interesting to see this get so many upvotes & discussion. Blockchain is an agreed protocol not a god-given thing, any time we need more we can just increase the block-size.
This blog post would make sense if it talked about why incrementing block-size is not feasible, which is feasible. Storage gets cheaper every year and block-size has no effect on compute power.
If there's interest I want to make this into a library and open source a django-specific solution as it's my everyday framework. The discussion applies to ALL web frameworks.