GitLab

In order to encourage privacy by design, I would recommend to reduce the information that is hold on in the account data.

In explicit, I would recommend/encourage to get rid of the actual identity strings and replace them with aliases and only store the hashed version.

As we recently saw with gravatar vulnerabilities allow account enumeration and like in worst case. This is not necessary when one takes some trade-offs.

We can just store the hash of most identities in the database. There should be a primary identity that is used as an emergency contact, but otherwise identities should just get an alias field that is used as their UI identifier and otherwise be stored in form of a hash. This reduces the ability to collect mail addresses and OpenIDs even when the database would be breached.

From a workflow perspective it's not necessary to store an identity after successful verification as all further actions are performed with the hash only.