IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [account-security]

Security controls and features related to an end user's account with a web/mobile based application or an operating system.

The following topics are considered on-topic for the usage of this tag-

  1. Security controls to prevent user accounts and related data from unauthorized access e.g. multi factor authentication.
  2. Questions related to security breaches where user account information is compromised.
  3. Questions related to user registration and verification mechanisms.
708 questions
554
votes
3 answers

Why can I log in to my Facebook account with a misspelled email/password?

I've been playing around with different login forms online lately to see how they work. One of them was the Facebook login form. When I logged out of my account my email and password were autocompleted by my browser. Then I decided to misspell my…
aMJay
  • 3,615
  • 5
  • 11
  • 20
173
votes
4 answers

GitLab account hacked and repo wiped

I was working on a project, a private repo, and suddenly all the commits disappeared and were replaced with a single text file saying To recover your lost code and avoid leaking it: Send us 0.1 Bitcoin (BTC) to our Bitcoin address…
Stefan Gabos
  • 1,113
  • 2
  • 6
  • 9
153
votes
5 answers

What to do if stuck with website that has poor security?

I have a student loan account with a company, not the biggest company but big enough to where they should have their act together. Today I couldn't remember my password to log into my account dashboard. I clicked "forgot password" and they prompted…
DasBeasto
  • 1,796
  • 2
  • 14
  • 14
142
votes
24 answers

Why can't I just let customers connect directly to my database?

I'm pretty sure this is a stupid idea but I'd like to know why, so bear with me for a moment. Lots of the work backend developers do is providing CRUD access to customers via HTTP, essentially mapping data from and to the internal database.…
Moritz Friedrich
  • 1,455
  • 2
  • 10
  • 10
127
votes
8 answers

Why is storing passwords in version control a bad idea?

My friend just asked me: "why is it actually that bad to put various passwords directly in program's source code, when we only store it in our private Git server?" I gave him an answer that highlighted a couple of points, but felt it wasn't…
d33tah
  • 6,524
  • 8
  • 38
  • 60
115
votes
13 answers

Is it good or bad practice to allow a user to change their username?

I have looked all over online as well as this site to try to find out more information regarding the security of this, but haven't found anything. In my particular case, the product is a website, but I think this question applies for any software…
Jeff Y
  • 1,051
  • 2
  • 7
  • 9
104
votes
12 answers

Why is client-side hashing of a password so uncommon?

There are very few websites that hash the users password before submitting it to the server. Javascript doesn't even have support for SHA or other algorithms. But I can think of quite a few advantages, like protection against cross-site leaks or…
Maestro
  • 1,153
  • 2
  • 8
  • 8
102
votes
6 answers

What is the purpose of confirming old password to create a new password?

Suppose that someone stole my password, he/she can easily change it by confirming the old password. So, I am curious that why do we need that step and what is the purpose of using old password confirmation?
ronaldtgi
  • 1,215
  • 3
  • 10
  • 14
96
votes
6 answers

Why would someone open a Netflix account using my Gmail address?

This is something that happened to me a few months ago. I don't know if it is a hack attempt, although I can't think of any way that there could be any danger or any personal information gained. I don't have a Netflix account and never have done. …
user2760608
  • 873
  • 1
  • 5
  • 7
89
votes
3 answers

Google account verification request

Yesterday evening my android phone (Google Play Services app) asked me to log in again into my account due to "security changes" (I don't remember the exact wording used). I double checked it was the real app and logged in again (I went through all…
BgrWorker
  • 1,941
  • 1
  • 10
  • 17
86
votes
1 answer

Why are files that are not assigned to a user considered a security risk?

From the Linux Bible, edition 9: Files that are not assigned to any username are considered to be a security risk. How is this possible and how could this be exploited? Edit:My question isn't a duplicate of the mentioned question because my…
AXANO
  • 899
  • 7
  • 23
84
votes
7 answers

Why is SMS used as a way of verifying a user's mobile, when it is not even encrypted in transit?

I did some research about how secure and private SMS messages are. Providers and governments can see these SMS messages in plaintext, but what is weird is that these messages are not encrypted in transit. According to my knowledge, that makes the…
Mohamed Waleed
  • 1,169
  • 1
  • 5
  • 13
79
votes
8 answers

Company does not want any names on phishing reports

We have been recently contracted to run phishing tests for a company. Let's call it a company but basically they are obligated, by law, to assess the security of their environment with phishing campaigns. We ran our first campaigns not too long ago…
pm1391
  • 1,427
  • 2
  • 7
  • 19
78
votes
8 answers

What is the suggested best practice for changing a user's email address?

I recently jumped onto the hypetrain for an unnamed email service and am currently on my way to update all my accounts on various websites to get most of my (future) data off Google's Gmail. During this adventure I came across a couple user-flows of…
Marv
  • 1,023
  • 1
  • 7
  • 8
77
votes
7 answers

Is it unsafe to show message that username/account does not exist at login?

According to the OWASP Auth Guidelines, "An application should respond with a generic error message regardless of whether the user ID or password was incorrect. It should also give no indication to the status of an existing account." However, I have…
styfle
  • 888
  • 1
  • 6
  • 9
1
2 3
47 48