IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [account-security]

Security controls and features related to an end user's account with a web/mobile based application or an operating system.

The following topics are considered on-topic for the usage of this tag-

  1. Security controls to prevent user accounts and related data from unauthorized access e.g. multi factor authentication.
  2. Questions related to security breaches where user account information is compromised.
  3. Questions related to user registration and verification mechanisms.
763 questions
51
votes
5 answers

Is it possible to detect security breaches as a user before they're announced?

I'm always concerned about the security of services I use. I'm even more concerned since security breaches have been happening more and more lately, and they always generate a lot of noise in the media. Now I'm already trying to secure my accounts…
SEJPM
  • 9,770
  • 6
  • 39
  • 69
39
votes
8 answers

Can the manufacturer remotely turn off my device?

In connection with recent events, I, as an ordinary citizen of Russia, wonder - can smartphone manufacturers (Google, Apple, Huawei, etc.) or any another (such as Microsoft, Cisco etc) remotely turn off my phone (or any another device)? I see…
RoyalGoose
  • 1,035
  • 1
  • 7
  • 9
37
votes
4 answers

What can I do if I discover that my password hash has been leaked in pastebin?

Entering my email at https://haveibeenpwned.com/, I was told that I have been pwned. I am in http://pastebin.com/SCLNRHJQ I already tried to find out my password by simply md5-hashing all my passwords I could think off and comparing them to the…
Alexander
  • 2,163
  • 2
  • 18
  • 22
27
votes
4 answers

On my website's account creation form, how to avoid leaking the information that an email address already has an account?

It seems common practice, when denying access to a user because of an incorrect email / password combination, to not specify which of the username or password was incorrect. This avoids leaking the information that an account does or doesn't exist…
foucdeg
  • 413
  • 4
  • 10
18
votes
4 answers

Is it bad practice to have a 'super admin' - so they effectively bypass security checks in your system?

I have seen a few system designs in my time and one question keeps cropping up: Is it bad practice to have 'super admin' - single user - or 'super admin' privileges in your system? By that I mean giving one or many users 'super admin' privileges so…
Paul C
  • 291
  • 2
  • 6
13
votes
2 answers

Should I worry about a breach where my password was not revealed?

After browsing another question on this site, I discovered haveibeenpwned.com and thought I'd check my email. It came up with one breach which has, apparently, not been widely shared and does not include a password or much in the way of personal…
Bob Tway
  • 559
  • 1
  • 4
  • 13
4
votes
2 answers

Should I inform the previous email account that it is no longer the main email address of my user?

I'm building a website where you can register with an email account. In your account private section you can find a form where you can change the email address to use when logging in. I wanted this form to send an email to the previous address in…
Claudio Bonifazi
  • 41
  • 2
2
votes
2 answers

Do account names need to be protected?

I signed into my bank's website and they demanded I change my username because it was found on the web--duh, it's my name and I've been online since the old BBS days. Huh? Since when are account names something to be protected? The rules presented…
Loren Pechtel
  • 773
  • 4
  • 9
2
votes
1 answer

What all security do i need to check to secure my application?

For an application with login and logout functionalities and browsing based upon authentication , what all do i need to secure it ? I am basically very new to security and googling is leading to more confusion . To start with i have decided to use…
Gagan Singh
  • 121
  • 1
2
votes
1 answer

Protecting an account after staying logged in in a public place

I had forgotten to log out of my personal T-Mobile web account on my computer at work today. When I came home, I remembered, so I logged on to my account at home (different computer, different network, of course, from work), and changed my…
PerpetualLearner
  • 35
  • 3
2
votes
2 answers

Why do login systems tell users an email address is not in the system?

Am I right assuming that by telling an attacker an email is or is not in the system the login is in fact weakened? Meaning if the attacker knows the email is correct he/she in fact already has 50% of the login details, no?
lowtechsun
  • 183
  • 6
2
votes
1 answer

Is there a diagram based language for modelling security?

A lot of us will be familiar with UML for software engineering. Its uses are plentiful. Is there such a thing as a set of conventionally used diagrams for modelling any security scenario (speaking as a complete beginner to the field of…
Ghoti and Chips
  • 121
  • 1
2
votes
3 answers

What are the security implications of allowing guest checkout using an email bound to known account?

For a webshop, we allow customers to place an order either as a logged in user, or as a guest. Guest checkout in itself is a quite common feature for webshops. The webshop in question is selling physical goods, so customers will still be required to…
Jacco
  • 7,672
  • 5
  • 33
  • 54
2
votes
2 answers

What should happen when an account is unlocked?

After a user's account is locked, and an admin goes to unlock it, should the user be required to reset their password? Or should they just be able to login without changing their password?
Tiffany
  • 21
  • 1
2
votes
1 answer

Attack vectors that go through previously compromised accounts

Assume an attacker gains access to a user's account on some cloud service (like my Google, Microsoft, or whatever ), the user discovers this, and changes their password. What are the scenarios that the user should then watch out for to ensure that…
idonutunderstand
  • 135
  • 5
1
2 3 4