IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [identity]

Identity is the property of an object which allows it to be uniquely specified.

Identity allows you to specify a specific object or individual out of a group of objects or individuals.

For example: If Ann asks Bob to move a rock, she may specify the specific rock from rocks in the general area by:

  • pointing her finger at the rock
  • describing the rock's size, shape and color
  • giving map coordinates of the intended rock.

For people an ambiguous specification is a person's name which may not be unique. There may be more than one Ann or even more than one Ann Baker. For computer systems individuals are usually give a unique username, so that the use of a username is unambiguous.

232 questions
16
votes
3 answers

Best practices for GPG user ids

What is the best practice for choosing GPG user id(s)? I've read various bits of advice, which sometimes even contradict each other. For instance, I've read that one should not use comments, because they are not part of your identity. But strictly…
Flimzy
  • 655
  • 1
  • 6
  • 14
16
votes
4 answers

Are malicious relying parties able to abuse OpenID logins?

if I logon with OpenID into a website (crafted by attackers/hackers) I want to know how much damage can they do to me? Are they able to steal my contact info, name, etc (assuming I'm using Gmail OpenId)
Pacerier
  • 3,253
  • 6
  • 34
  • 61
15
votes
3 answers

Length of CSRF Token

Is there any standard length of the token which should be used while generating the random tokens? Should we use the same standard which we use for generating Session IDs?
p_upadhyay
  • 1,121
  • 3
  • 14
  • 31
15
votes
3 answers

How to secure identity after someone dies?

How would you go about securing the online identity(ies) of someone as best you can after they've died, when they haven't put anything in place ahead of time for this event? Assume we don't know how many identities or services they've used, but at…
matt wilkie
  • 501
  • 3
  • 12
14
votes
3 answers

Someone keeps using my email address. What to do?

I have had a GMail ever since it was created, so it's an email address that is easy to remember, but also easy for somebody else to get confused with. Since I'm not going to post my email address here, I'll put the format for it which is [first…
SameOldNick
  • 729
  • 3
  • 10
  • 22
14
votes
3 answers

Why would someone register a Facebook account with a stolen email address?

I witnessed an interesting attack today. Someone was able to register a new Facebook account with the email address of a friend of mine. We don't know how it happened, because Facebook requires you to click on a confirmation link to use an email…
Demento
  • 7,249
  • 5
  • 36
  • 45
13
votes
2 answers

Why do some companies ask last 4 digits of my SSN or a scan of my ID? What are my risks?

Yesterday I found out that some major service provider (online rentals) that I use now requires proof of my identity if I want to continue and make a booking. I was offered 2 options: Enter last 4 digits of my social security number and answer…
nightcoder
  • 231
  • 1
  • 2
  • 5
12
votes
1 answer

What encryption prevents the tampering of Windows Identity Foundation (WIF) FedAuth cookies?

It occurred to me that the WIF FedAuth cookies contain identity information, that if tampered with, could permit someone to assume the identity of another user. Fortunately, WIF does cryptographically Authenticate the message, but I don't…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
12
votes
2 answers

Benefits and drawbacks of giving an Administrator two accounts for elevated rights and another for daily use, such as email

Microsoft has long promoted the need to separate administrative accounts from regular use accounts, as shown with this guidance MSFT even went to far as create ADMINSDUser rights to put administrative accounts in a separate "class" than regular…
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
12
votes
11 answers

Besides IP addresses, how else could one be identified?

OP: I'm curious how else an actor seeking to identify someone online could accomplish this task besides just using an IP address. What methods would they employ? What knowledge must they have of the target? What technology would they need access…
Charles Hoskinson
  • 315
  • 1
  • 2
  • 14
11
votes
2 answers

Electronic identity and digital signatures - why they are different?

It seems (to me at least) that is is generally accepted that "electronic identity" and "digital signatures" are a different thing. For example, in the Estonian ID card there are two certificates - one for identity, and one for signing. They…
Bozho
  • 1,173
  • 1
  • 10
  • 12
11
votes
2 answers

How to protect against exploitation using a lapsed domain

Consider a domain that had been in active use for some time but is no longer desired — perhaps the company is out of business or a name change took place years ago, or whatever. The domain registration will be allowed to lapse. I'm guessing there…
Andrew Vit
  • 825
  • 1
  • 6
  • 9
11
votes
1 answer

How to prepare for protecting identity after death?

In the context of online accounts and identities, what are some best practices to prepare for the one certainty we all face: not a one of us will get out alive.
matt wilkie
  • 501
  • 3
  • 12
11
votes
3 answers

How secure can IP based login be?

From several security books and sites I understand that IP-based security (with which I mean: user is verified only by IP address) is a bad idea. One of the reasons is obvious, multiple actual users can use the same IP address. Our idea is not new:…
Abel
  • 235
  • 1
  • 3
  • 9
10
votes
7 answers

Aren't permanantly logged in accounts inherently insecure?

The basic premise behind a "keep me logged in until I log out" feature is a cookie is stored with some identifier that is used to log the user in again when returning to the site. While these identifiers are generally quite long, isn't it…
Will
1
2
3
15 16