Things that are bad, dumb, or broken (security checklist), in a few categories. If you see one of these acronyms or ideas somewhere in your code or product then that’s no good.

In Cryptography

• MD5

• SHA1

• Mac then Encrypt (should be Encrypt then Mac), or really should just be GCM / AEAD

• AES-*-EBC, AES-*-CBC or anything that isn’t GCM or AEAD

• Snake oil crypto

• Padding oracles

• Bleinchenbacher attack

• Reusing symmetric keys (block or stream ciphers)