How hard is it to hack the JWT HS256 algo?

By convention, I see a lot of folks using this approach to generate a private key from a nodejs console:


But considering I could input other values besides 0-9 and A-Z, I wondered if my key would be more secure if I used other non hex-only characters?

Second, if my key is 64 bytes for the HS256 algo., how much time would it take an attacker to brute force the signature? My JWTs are only valid for 15 minutes, but that doesn’t stop an attacker from logging in, grabbing an access-token and brute forcing it.

My JWTs maintain 3 claims that I don’t encrypt — the email address of the user, the user’s ID (which never changes) and a boolean value. I was considering appending to my key the hash value of the user’s ID so that brute forcing the key (if successful) would only yield the password for that one user as the attacker would likely not realize that I appended the hash of the user’s ID.

I’m just concerned that JWTs aren’t as secure as session IDs in a cookie as I can control how many requests an attacker can make from my endpoints but can’t control a brute force against an offline verify.

How to store API keys when algo trading?

I write Python scripts for clients to “algo trade” at currency/stock exchange websites. My clients are typically running my scripts on traditional personal desktop PC’s. Usually using these PC’s for web browsing activities as well. The environment is always linux; usually debian. In the industry; Python is quite standard for algo trading in this manner; both institutionally and privately.

However, I can’t help but see a flaw in the security model.

Each exchange has a slightly different authentication method; but in short there is:

USER INPUTS:  api['secret']       # private key from exchange  USER CONFIG FILE CONTAINS:  api['key']          # public key from exchange api['exchange']     # name of exchange; ie "binance" api['symbol']       # market pair symbol in format BTC:USD api['uri']          # the url up to .com/  FROM USER INPUTS SCRIPT BUILDS REQUEST SPECIFIC:  api['nonce']        # time.time() at beginning of request api['endpoint']     # path/to/server/resource api['url']          # uri + endpoint api['method']       # GET, POST, or DELETE api['params']       # dict with request specific parameters api['data']         # str with request specific parameters api['headers']      # authentication signature specific to the request 

These requests are of the sort:


Here are some examples of the authentication methods I’ve written to some currency exchanges; they’re all quite standard in the forex/stock/crypto trading industry. Mostly in the generalized format:

api["header"] = {"signature": HMAC(SHA256(the_request_parameters))} 


def signed_request(api, signal):     """     Remote procedure call for authenticated exchange operations     api         : dict with keys for building external request     signal      : multiprocessing completion relay     """     api = lookup_url(api)     api["data"] = ""     if api["exchange"] == "coinbase":         api["data"] = json_dumps(api["params"]) if api["params"] else ""         api["params"] = None         message = (             str(api["nonce"]) + api["method"] + api["endpoint"] + api["data"]         ).encode("ascii")         secret = b64decode(api["secret"])         signature =, message, hashlib.sha256).digest()         signature = b64encode(signature).decode("utf-8")         api["headers"] = {             "Content-Type": "Application/JSON",             "CB-ACCESS-SIGN": signature,             "CB-ACCESS-TIMESTAMP": str(api["nonce"]),             "CB-ACCESS-KEY": api["key"],             "CB-ACCESS-PASSPHRASE": api["passphrase"],         }     elif api["exchange"] == "poloniex":         api["params"]["nonce"] = int(api["nonce"] * 1000)         message = urlencode(api["params"]).encode("utf-8")         secret = api["secret"].encode("utf-8")         signature =, message, hashlib.sha512).hexdigest()         api["headers"] = {             "Content-Type": "application/x-www-form-urlencoded",             "Key": api["key"],             "Sign": signature,         }     elif api["exchange"] == "binance":         api["params"]["timestamp"] = int(api["nonce"] * 1000)         api["params"]["signature"] = signature         message = urlencode(api["params"].items()).encode("utf-8")         secret = bytes(api["secret"].encode("utf-8"))         signature =, message, hashlib.sha256).hexdigest()         api["headers"] = {"X-MBX-APIKEY": api["key"]}     elif api["exchange"] == "bittrex":         api["params"]["apikey"] = api["key"]         api["params"]["nonce"] = int(api["nonce"] * 1000)         message = api["url"] + api["endpoint"] + urlencode(api["params"])         message = bytearray(message, "ascii")         secret = bytearray(api["secret"], "ascii")         signature =, message, hashlib.sha512).hexdigest()         api["headers"] = {}     elif api["exchange"] == "kraken":         api["data"] = api["params"][:]         api["params"] = {}         data["nonce"] = int(1000 * api["nonce"])         api["endpoint"] = "/2.1.0/private/" + api["endpoint"]         message = (str(data["nonce"]) + urlencode(data)).encode("ascii")         message = api["endpoint"].encode("ascii") + hashlib.sha256(message).digest()         secret = b64decode(api["secret"])         signature = b64encode(, message, hashlib.sha512).digest())         api["headers"] = {             "User-Agent": "krakenex/2.1.0",             "API-Key": api["key"],             "API-Sign": signature,         }     elif api["exchange"] == "bitfinex":         nonce = str(int(api["nonce"] * 1000))         api["endpoint"] = path = "v2/auth/r/orders"         api["data"] = json.dumps(api["params"])         api["params"] = {}         message = ("/api/" + api["endpoint"] + nonce + api["data"]).encode("utf8")         secret = api["secret"].encode("utf8")         signature =, message, hashlib.sha384).hexdigest()         api["headers"] = {             "bfx-nonce": nonce,             "bfx-apikey": api["key"],             "bfx-signature": signature,             "content-type": "application/json",         }      url = api["url"] + api["endpoint"]     ret = requests.request(         method=api["method"],         url=url,         data=api["data"],         params=api["params"],         headers=api["headers"],     )     response = ret.json() 

My clients often ask me, where to store the api["secret"]. In config file? In an environmental variable? Enter it manually at every restart and store it on physically on paper? I have no good answer and anything suggested… I quickly facepalm.

I set out to write an app – in python – to store the API keys:

primary feature:

  • given url and key input:

  • writes secret to clipboard w/ xclip

  • auto clears clipboard in 10 seconds

security features:

  • reads/writes AES CBC encrypted password json to text file

  • salt is 16 byte shake256 and generated in crypto secure manner w/ os.urandom

  • new salt after every return to main menu and exit to prevent dictionary attack

  • master password stretched to 400 megabytes to prevent GPU/FPGA attack

  • master password hashed iteratively 1,000,000 times via traditional salted pbkdf sha512 to prevent brute attack

  • only 3rd party module is “pycryptodome”; raises exception if deprecated “pycrypto” is found

  • sudo system password required to edit the script

My thought was my users could use this app to secure their keys; and in a scripting cryptographic sense… I’ve dotted my i’s and crossed my t’s… when they’re stored they’re stored. Period. I’m quite convinced you cannot break my encryption scheme.

You can find my app here or by googling: litepresence/CypherVault

But I still facepalm. I opened a reddit/r/security thread here to discuss my app and my facepalm was quickly validated.

In the end of things… no matter how I handle the api[“secret”] it ends up on RAM which can be dumped by malware and uploaded to an attacker.

When the user enters the secret to be encrypted… its on RAM. When the script decrypts the secret to sign a transaction… its on RAM.

Then hocus pocus… “my script” caused somebody to lose money because it was not “secure”; I have a sense of responsibility.

How can this be avoided? How can one securely store exchange API secrets for composing financial transactions – by bot – in scripting languages, on desktop machines, without at some point exposing them to your RAM, and potentially worse… your SWAP?

Hacer union de 2 div o crear algo semejante a una pestaña

Estoy maquetando un diseño, pero no he podido avanzar porque no se como prodria implementar una pestaña al div o lo que se haria en el diseño es una union de 2 cajas, no se si usando los pseudo elementos del propio div o habria otra forma de realizarlo.

Lo que estoy intentado hacer es esto

introducir la descripción de la imagen aquí

Quiero agregar la parte donde esta escrito live y donde estan los botones a la derecha, como podria hacerlo con css?

Bing Traffic Drop – Algo Update October 2018


In October 2018, my site had a sudden drop in traffic from (about 90%). Earlier, traffic was stable for several years.

Since then, I have contacted Bing Webmaster Support several times, but I have always received the answer that they cannot give guidelines for specific websites and have told me to follow the Bing Webmaster Guidelines – that's all.

However, a few days ago I got a reply from "High-level engineering team" with information that …. "we released an…

Bing Traffic Drop – Algo Update October 2018

¿Cómo incluir una condicional en el WHERE solo si un JOIN tiene algo?

necesito ayuda para realizar el siguiente query en MySQL, estoy juntando dos tablas con un LEFT JOIN para arrojar resultados en caso de que la segunda tabla no contenga información.

SELECT   e.emp_id AS "empresa_id",   et.idioma_id AS "idioma" FROM empresa as e LEFT JOIN empresa_translate as et   on et.emp_id = e.emp_id WHERE   replace(replace(e.emp_nombre,'z','s'),'h','')   LIKE replace(replace('%NOMBRE%','z','s'),'h',''); 

Esto obtiene los resultados sin importar que la tabla empresa_translate tenga algún registro asociado con el id, sin embargo necesito implementar la siguiente lógica a lo que ya tengo.

Si es que existe algún registro en la tabla empresa_translate asociado a este id filtra los resultados para mostrar sólo los que tengan un et.idioma_id = 1.

SELECT   e.emp_id AS "empresa_id",   et.idioma_id AS "idioma" FROM empresa as e LEFT JOIN empresa_translate as et   on et.emp_id = e.emp_id WHERE   replace(replace(e.emp_nombre,'z','s'),'h','')   LIKE replace(replace('%NOMBRE%','z','s'),'h','')   AND et.idioma_id = 1; 

El problema de hacerlo de esta manera es que no arroja ningún resultado. ¿Cuál es la manera correcta de hacer esto?

php mailer fue axctualizado o algo?

tengo una web para enviar correo pero confifuro el Php y no me envia los correos este es el codigo que me da de error:

Código de activación no fue enviado. Error de Correo: Falló la siguiente dirección de correo electrónico: CORREO no aceptado del servidor, 530,5.5.1 Se requiere autenticación. Obtenga más información en 530 5.5.1 w62sm21088070qkd.30 – gsmtp Error del servidor SMTP: 5.5.1 Se requiere autenticación. Obtenga más información en 530 5.5.1 w62sm21088070qkd.30 – gsmtp Error del servidor SMTP: 5.5.1 Se requiere autenticación. Obtenga más información en 530 5.5.1 w62sm21088070qkd.30 – gsmtp

y este el archivo php

    <?php  $  ServerName = "";  //SMTP Auth  $  SMTPAuth = true;  // SMTP Server Address  $  SMTP = "";  // SMTP Server Port  $  PORT = 587;  // SMTP Secure tls/ssl  $  SMTPS = "tls";  // SMTP Username  $  SMTPUSR = "";  // SMTP Password $  SMTPPASS = "123456789";  // From Address  $  From = ""; $  basepath="";  $  max_slot = 240;      ?> 

Como corrijo ese problema? creo he configurado bien el PhP pero no envia los correos.

NOTA Obviamente no es un correo real si no de mentira que coloque como ejemplo.