IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [identity]

Identity is the property of an object which allows it to be uniquely specified.

Identity allows you to specify a specific object or individual out of a group of objects or individuals.

For example: If Ann asks Bob to move a rock, she may specify the specific rock from rocks in the general area by:

  • pointing her finger at the rock
  • describing the rock's size, shape and color
  • giving map coordinates of the intended rock.

For people an ambiguous specification is a person's name which may not be unique. There may be more than one Ann or even more than one Ann Baker. For computer systems individuals are usually give a unique username, so that the use of a username is unambiguous.

232 questions
96
votes
6 answers

Are GUIDs safe for one-time tokens?

I see a lot of sites use GUIDs for password resets, unsubscribe requests and other forms of unique identification. Presumably they are appealing because they are easy to generate, unique, non-sequential and seem random. But are they safe enough for…
Michael Haren
  • 1,062
  • 1
  • 7
  • 7
52
votes
10 answers

Why use usernames and not just email addresses to identify users?

Why use usernames, and not just email addresses, to identify users? - What is the main concern or the main case when a security expert (which I'm not) should recommend inserting another layer of usernames, for example, when a native/web application…
user9303970
  • 443
  • 1
  • 4
  • 15
50
votes
21 answers

Are there unphotographable, but scannable ID cards?

We have a client who hosts an event, with a tight budget, that uses lanyarded Photo-ID cards with barcodes on them. The barcodes are used to gain access to various areas at the event. We were thinking of proposing a hashed code (currently the IDs…
Konchog
  • 605
  • 1
  • 5
  • 9
46
votes
4 answers

Paypal sent an email addressing me with one of my old passwords as my name

I got this email from service@intl.paypal.com, with the title: Your account has been limited until we hear from you. I think this is a scam / spoof email because I don't see any notification in my Paypal account and this is Hotmail account is not…
apertur
  • 572
  • 4
  • 8
46
votes
5 answers

Should usernames be kept secret?

Help me settle an discussion among colleagues and guide future design: Even in a high impact scenario: e.g. protecting payment application or government gateway but in an Internet accessible application Is it worthwhile implementing any of the…
Rakkhi
  • 5,783
  • 1
  • 23
  • 47
40
votes
2 answers

Role Based Authorization vs. Claim Based Authorization

What is the difference between "role based authorization" and "claim based authorization"? Under which circumstances would it be appropriate to implement each of these authorization models?
user960567
  • 2,461
  • 4
  • 16
  • 16
36
votes
7 answers

Could governments and banks become CAs?

When you apply for a passport, driver's license, home mortgage, bank account, credit card, etc., the issuing organization must verify your identity. In the course of doing so, would it be feasible for them to issue an x.509 certificate? These could…
shadowtalker
  • 541
  • 4
  • 11
33
votes
3 answers

Why do I need to hide my phone's IMEI

If it is a secret then why is it visible on the box, invoice and the back of the phone? If it is not a secret then why does it have to be blurred when it gets posted online?
Ulkoma
  • 8,793
  • 16
  • 65
  • 95
25
votes
3 answers

A Different Approach to PKI

After yet another failure of the public key infrastructure, I was thinking about how broken the whole thing is. This business of undeniably associating an identity with a public key, and all the work we put into achieving it, is starting to feel…
lynks
  • 10,636
  • 5
  • 29
  • 54
23
votes
1 answer

Ways to sign gpg public key so it is trusted?

I have a service through SSL which gives the user a code for a specific reason. I want to sign the code with the web server's private key (gpg --clearsign) and send the signed code along so that they can verify its origin after they leave my…
Ken Bachmann
  • 233
  • 1
  • 2
  • 4
21
votes
1 answer

What's this kind of authentication scheme called?

In the past I've heard about a scheme to prove your identity online in places like forums, without having to create an account. When posting, the user would enter a password which is then heavily hashed and displayed publicly along with the post.…
Luc
  • 31,973
  • 8
  • 71
  • 135
20
votes
2 answers

Spam that comes from names in my address book, but not their email addresses

I've recently received two spam messages that show a possibly worrying degree of knowledge about my contacts, and I'm wondering how concerned I should be. Specifically, the names -- but not the email addresses -- that they appear to come from are…
Matt McHenry
  • 405
  • 1
  • 3
  • 8
20
votes
2 answers

Best Practice: “One per-user ssh key” or “multiple per-host ssh keys”

Possible Duplicate: What’s the common pragmatic strategy for managing key pairs? I was part to a conversation last week about which approach to ssh keys is more “secure”. Note, that when contemplating “secure” we were trying to factor in human…
Srinivas
  • 201
  • 1
  • 2
  • 4
19
votes
6 answers

How to verify that someone is who they say they are online?

I am working on an online job application web app and the question has come up about how we will verify that someone submitting an application is who they say they are. For example, we don't want Jon Smith submitting an application for Abe…
Abe Miessler
  • 8,155
  • 10
  • 44
  • 72
18
votes
3 answers

Can law enforcement track a criminal through dynamic IP address?

I ask because a week ago my home was broken into and, among other things, my iMac computer was stolen. I am desperate to get it back because it has all the pictures of my daughters from the last several years (did not back up any where else). I…
Ruth Bravo
  • 181
  • 1
  • 1
  • 4
1
2 3
15 16