IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [user-management]

91 questions
96
votes
6 answers

Should passwords be automatically reset when the underlying method changes

I'm currently an engineer on a project in development phase. One 'module' on this project gives the ability for user authentication/authorization. However it's come to our concern that the password hashing algorithm may not be up to cop (aka not…
Crazy Dino
  • 1,517
  • 11
  • 12
71
votes
10 answers

Why avoid shared user accounts?

I know its best practice not to allow shared user accounts, but where is this best practice defined? Is it an ISO standard or something? What is the reasons to always create per person accounts?
Steve Venton
  • 749
  • 1
  • 5
  • 5
65
votes
2 answers

How can I prevent a computer from turning ON?

I was reading this question on Stack Exchange Workplace community and it indicates that an IT team was able to prevent a user from turning their laptop on (power on). My laptop access has been shut off (IT somehow remotely shut it down, it won't…
DxTx
  • 1,403
  • 2
  • 9
  • 20
22
votes
3 answers

Best practices on securely storing access tokens

What would be the best practices for storing access tokens of another api for your users? In particular I'm developing an application with some friends that let's user log into Facebook to both authenticate to our internal REST api and make it able…
Joren Van Severen
  • 329
  • 1
  • 2
  • 6
20
votes
6 answers

Is there a security advantage or risk in removing disabled user accounts?

So I'm having a debate with someone about whether or not to remove disabled accounts. My stance is that it is good network hygiene, reduces the amount of noise to sift through, etc. However, the argument is, what is the risk being addressed. I…
POSH Geek
  • 330
  • 1
  • 3
  • 10
18
votes
4 answers

Should email verification be followed by password-based login? Why?

A typical account creation process seems to be: Provide email address and set a password Receive confirmation email with a link and/or hashed token Click the link to verify and/or enter the token on the site However, I once read somewhere (and I…
A Real Live Operator
  • 283
  • 1
  • 2
  • 5
10
votes
4 answers

How to suspend a user from my website and prevent them from creating a second account?

I am an outsourcing person, not a programmer. My website is a shopping website (think eBay). My website will need a user suspension feature, in case a user violates the terms and conditions. The problem is to detect users who create a second…
ahmed amro
  • 331
  • 1
  • 2
  • 10
10
votes
2 answers

When should user invite links (tokens) expire?

We have a system in which external users can be invited to our identity management system. The users are not employees of our company, but of our customers. The administrators of the customer do not have access to the system the users are invited…
Philipp Grathwohl
  • 203
  • 1
  • 6
9
votes
1 answer

How to protect a Wifi network from Microsoft WiFi Sense

Microsoft is deploying a new feature, WiFi Sense, which provides users a way to easily share passwords to wireless networks with all of their contacts. This introduces a new security failure mode: a user might decide to share a wifi network…
D.W.
  • 98,420
  • 30
  • 267
  • 572
9
votes
1 answer

How can utilities with setuid set to root be secure if they are debuggable?

Today I heard at Uni something that broke my mental model about separation of users' rights. Namely, I heard that: I can freely debug all programs I have the permission to run, even those that have setuid set to root. That means I can, for…
gaazkam
  • 5,607
  • 11
  • 24
  • 37
8
votes
5 answers

Preventing online voter fraud

As part of a promotional campaign, my company wants to launch a site where users (and potential users) of our product will be required to register and vote for certain choices. Depending on how successful it is this might become a regular feature.…
Samuel
  • 81
  • 1
  • 2
7
votes
2 answers

Best practices for verifying a users identity for helpdesk

I had a conversation today and someone challenged me as to why you would need to verify the identity of a user calling a service desk with anything other than their company email. Granted, I know these can be spoofed, but the upper-level executive…
user2041774
  • 71
  • 1
  • 2
7
votes
1 answer

Guest user on Mac Book Pro is suddenly on. Was I hacked?

Today I restarted my Mac book Pro and the guest user was on when has always been off before.
Chris Cinelli
  • 269
  • 3
  • 7
7
votes
2 answers

Win10: Access other logged on users' memory

How easily can admin users access the data of other users' running processes on Windows 10? Especially webpages loaded by Chrome. Example Context Bob and Alice share a single Windows 10 installation. Each has their own password protected local user…
Hanswurst
  • 73
  • 3
6
votes
2 answers

Security precautions for shared iPads in a customer facing corporate environment

Most tablets, and iPads in particular, are typically single user devices. Scenario: A service business that interacts directly with customers in person and wants to use iPads while interacting with customers during the sale and for customer…
Eric G
  • 9,691
  • 4
  • 31
  • 58
1
2 3 4 5 6 7