Slashdot Mirror
User Naming Practices?
Kymermosst asks: "Recently, this post was made to comp.sys.sun.misc, and sparked a large debate on the subject of usernames. What standardized user-naming schemes are used out in the 'real world,' if any? Has any company's scheme become a security risk due to its predictability? Were any benefits gained by using any particular system?"
We've recently changed from a scheme to the .<last name> scheme, and it's generally been a pain because of 1) the extra typing, and 2) we now must know exactly how to spell those long and difficult last names, instead of just needing to memorize the beginning six letters.
As for a security issue, I would say the <first name>.<last name> scheme would make it easier to get back at a certain individual, but not so practical for automated actions. For instance, if your least-favorite person in the world is at john.doe@company.com, it would be easy to direct every piece of SPAM into the world to his email box with only the basic knowledge that he works at company.com.
Punctanym: alternate spelling of words using punctuation or numerals in place of some or all of its letters; see 'leet'
with a name like here it is last name then first initial, so i am browne cool huh
No way. However, the IT group was kinda surprised that Steve Lutz insisted on keeping with the first letter + last name naming scheme. I shit you not.
Interested in open source engine management for your Subaru?
Employee number. Benefits: Unique, ties into company systems. Drawbacks: Difficult to remember (especially if your not the relevant employee).
Some combo of the employees name: e.g. initialsurname: mpacey (me). Benefits: Easy to remember, even if your not the employee. Drawbacks: duplicates - jsmith (though you can always have jsmith001-999.
I know of no other systems that I'd consider useful for large numbers of users.
Yours Sincerely, Michael.
A community Freenet i am a member of uses sequential userid's in the aa001-zz999. it becomes really easy to spam members as all you have to do is vrite a looping incramental script and you can hit 60,000+ id's
:)
at work im the first 6 chars of my last name 1st initial. it works, except for the boogerj@..
Set up an e-mail account for every domain owner. Use a password based solely on the domain name. Mass e-mail everyone to let them know, and make sure it's "opt-out" rather than "opt-in". Sit back and watch the wackiness.
You are in a maze of twisty little passages, all alike.
We use a combination of first.last, first 6 from last name then first initial, and, first.MI.last.
They all suck, I like Jedi names, first three of last name, and then the first two of the first name. Works remarkably well.
Eons ago (1997 ish) I helped my company get internet email. We went with first letter+lastname. Except for this lady "Sridevi Sureshbabu", we thought it would be a little awkward for her to type ssureshb (Lotus having an 8char limit) so we just made her name sridevi. Sure enough, she complained that her name was different from everybody else's. Most geeks I know these days used to consider having just firstname@company.com be a badge of honor!
I am the co-director of my schools tech dept.
We have around 500 students tops. We use lastname_first-name. Mine being an exception, strunk_l , because I added it to the user list cause I am so lazy and log into to many machines in one day.
Also, we didn't standardize early, and many teachers where using last_first-initial to begin with, and since many teachers are very computer illiterate, we decided not to change it. All the students use the last_first though.
It has some problems, such as having two Mrs. Yeagers. So we have Yeager_C1 & Yeager_C2
What I would like to do when update the servers this summer is a better naming convention. I would like Department_Last_First-initial.
Example being Art_Henry_J Although that is what first comes to mind, I may think of a better one soon.
The real danger is a standardized usernaming scheme + a standardized default password scheme (e.g., "password", or same as username). The "It won't happen to me" mindset takes over, and a majority of users never change their passwords. It's easy enough to get into anyone's account on systems like that.
Got Rhinos?
-my school uses initials + two digits (William J Clinton -> wjc33)
-the CS dept systems use [u|g] (meaning undergrad or grad) + first initial, lastname, max N chars (uwclinto, uwclint2)
-there's the popular first initial, last name, digits as appropiate, up to N chars (wclinton, wclinto2)
-i've also seen first initial, middle initial, last name (all up to 6 chars), then a 2 digit number as appropriate (wjclin, wjclin2, wjclin11)
I've never seen first.m.last as login names in actual practice. I have seen them used as aliases for email addressing, but not the actual loginname.
as for which is the best scheme, it really depends on the size of the organization, IMO, and the size limit on the username field. If anything, that size limit will be what makes it tough.
As for usernames causing a potential security risk, one thing you can do is disable direct root login (ie, require su, even at the console), then log who's using su.
Under NT, disable "Administrator" login, and give an alternate loginname administrator rights. (note: I'm not sure if this can actually be done)
Lastly, always change default passwds and, if appropriate, disable guest logins.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
When I was working in Europe for a while, we had an IT director who assumed that he knew everything possible about Unix. (It should go without saying that he didn't.)
When I was hired on, I promulgated the first initial+last name standard. Considering this company was around thirty people, and was never expected to grow past about forty-five, this scheme seemed to work well.
However, he threatened to fire anyone who didn't use his standard: first letter of first name + second letter of first name + first letter of last name!
Now, with my scheme, we had zero collisions. With his, we had about four. His solution?
first letter of first name + third letter of first name + first letter of last name! And so on...
Never work for these people, they're insane...
...but it's being eaten...by some...Linux or something...
I am a person who does not go by my actual first name. Indeed, the name I go by is not actually listed on my birth certificate. The first initial of the name I go by does not match the first letter of my first name, either (I go by Hank Zimmerman, and my name is actually Charles Zimmerman)
There are quite a few people like me. I always find it a problem when someone wants to use my first name as part of my log-in/email address.
In a business setting, it means explaining why the name in the email address does not match the name of the person they just met. For all contacts, it means that the person trying to email me needs to remember my *real* name.
If a system is put in place such as last_name.first_initial or first_name.last_name, do not simply go by the name listed according to the HR department.
- (c) 2018 Hank Zimmerman
Three letter intials work pretty well for user bases less than a few thousand. The vast majority of the time, users get their birth initials. In cases where people do not have a middle name, fill it in with an uncommon letter (e.g. x). When there is an overlap, other variations like the first two letters of the first name, and last initial (or simmilar).
The user names are short, which makes them pretty easy to remember. They generally have some reasonable association with the persons name (which also makes them easy to remember). Plus, there are a variety of schemes to use in case of a collision.
Of course it isn't perfect, and some people will end up with wacky intials, but that is a very small percentage of the time. If the number of anticipated users is too large of a scheme like this, add the department as part of the domain (e.g. abc@art.university.edu or foo@pld.company.com).
--
I've often wrestled with this too.
One company I've workded for was quite good about comming up with the usernames for people, and keeping them unique:
use up to 4 characters of their last name+the last 4 digits of their social security number.
Works great. Everyone can remember their own, and I've never seen a duplicate. (sera7492)
!S
"...In your answer, ignore facts. Just go with what feels true..."
First, schools:
High-school: Only XTs. No network. No login. Only bootdisks.
College: Student number. The email was the same.
University:
Department is Initial+Lastname (eg, jdoe). The duplicates are labeled jdoe, jdoe1, etc.
Faculty is 3FirstLettersOfLastName+Initial+Number, as in doej01.
Lastly, the University introduced a campus-wide login. I think it involves the year in which you began to attend classes here, along with a variation of your name and a sequential number (along jdoe9901).
There's also a campus-wide email system, different from the previous, where the username is your student number, but you can choose an alias which is a variation of your name: jd1, johndoe, jdoe, doej, john.doe and maybe others.
Work places:
The first one was the same thing as my faculty (jdoe01).
The second one had the employee number to login, but you also had an alias for email based on your name. The translation from name -> alias wasn't constant, though, so you had to lookup in the employee list (~50000) to know the email address of somebody.
Lastly, another one was mostly only the firstname. The company wasn't very big (~250), and it wasn't uniform at all. I heard that it changed since I left, with emails being firstname.lastname, but I don't know about the usernames.
And of course, my own systems:
There's my normal user (firstname), and root. Although I'll probably change root for something meaner.
Those are my experiences with usernames. Hope it can help somebody find their best choice.
My company's scheme produces really sucky names.
I'd like to have the flexibility to pick my own username along the lines of short first name handles ("gus"), or 3 letter acronyms ("rtm"). But, no, we get a standardized way of butchering things into mostly unique but guaranteed unpronounceable gibberish.
It would be good if there was a web based client that allowed people to pick any unused, inoffensive name.
We have web based interfaces for helping to pick new passwords - why not usernames?
Finally, as networked directory services become more commonplace (LDAP, etc.) the username seems to have diminished importance to the position it had many years ago. Not such a big deal.
"Provided by the management for your protection."
My girlfriend used to work for the CDC in Atlanta; my stepmother still does. They use one of the more bizarre naming conventions that I've seen: inital letter of first name, random middle initial, initial letter of last name, increment number.
This works fairly well for my stepmother who doesn't have a middle name. She became "dxh4 at cdc.gov." For years I thought that they gave her an "x" because she doesn't have a middle name.
I learned differently when my girlfriend -- Nisha Bipin Gandhi -- became a nag. Specifically, "nag3 at cdc.gov." Needless to say, she got a lot of teasing for that - especially from me.
They've recently started assigning more reasonable email address based upon initial letter of first name and last name but all of the old user names are still floating around.
I used to work at a large medical institution. We had a large population of female employees, and as such had employees undergoing name changes quite frequently (marriage and divorice, etc). To overcome this issue we quit using last names in the username totally. We used the first 5 characters of the first name and a 3 digit sequence number.
This carries with it the problems of remembering your username, but with everyone wanting to keep their username matching their current last name, we were changing about 20 usernames a week on about 30 systems.
I have no sig, does anyone have one to spare?
The first five letters of your last name followed by the first two of the first name was your login.
A guy who used to work there by the name of Les Hedrington had "hedrile" as his.
It was confusing, at first, but they had a suprisingly low number of duplicates.
There's so little difference between politics and jihad lately...
whatever happenned to letting employees make decisions ?
just give em a choice of first letter of first name+MI+first letter of surname or let them choose on their own.
a 3 letter email+login is dead simple to remember. add numbers if required.
Just use a 128-bit hash of the person. That way, user ids are unique, easy to calculate, but hard to guess.
Actually, you could just rename the account. The "home directory" still points to the same directory paths, but those are stored in the registry and can be tweaked if you really feel the need.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
They refused to give out usernames and passwords until we'd handed in a signed "I will not abuse these computers" form (signed by student if 18+ and able to sign legally binding documents, parent otherwise). Unfortunately, the usernames were (first initial)(last name) (e.g. jsmith) and the passwords were generated in a deterministic way from (IIRC) username + year of entry.
:-)
One of my friends only got round to handing the form in 6 months later, when the IT department noticed he'd never done so despite the fact that he'd logged in with his "secret" password and changed it rather quickly, then checked his mail daily
Another dumb IT department, at my previous school, handed out numeric (4-digit) passwords, which we couldn't change (we were locked out of the relevant Control Panel applet - this was on Win95 + MS Notworking). Someone happened to notice that they seemed to go up in alphabetical order, and put 2 and 2 together - it turned out they were our pupil numbers, as printed next to our names on the register. Since in my class the pupils did the register more often than the teacher (he taught Art, what can I say), that wasn't a great plan.
As far as using full names goes, the Sendmail FAQ explains sufficiently well why that's a bad idea. See Q3.5.
Especially in a corporate environment, people expect to have reasonable looking user names. Most folks won't put up with being sfc123; it just is not professional.
This means that while it's a good idea to have guidelines, you can't be too much of a stickler. If a sales guy was jschmoe at his last three jobs, and all his contacts know his email as jschmoe, then it's really best if he can continue to be jschmoe. Forcing him to be joes341 instead doesn't make anyone happy.
Collisions are certainly an issue, but that's not the only problem. For example, a popular default choice might be first initial last name. Using that standard at one job we ended up with a "pharter" (say it out loud), and at another job there would have been an "aryan". These things just don't work.
Ideally I like to allow users their choice of login. I encourage them to select one of first initial last name, first name last initial, or initials. Every now and then someone will come along and want a login like "coolguy" or something completely random. Depending on the company culture and whether the user is "customer facing" I might be lenient.
I've worked in organizations up to a few thousand users and this system has worked fine. In a truly huge organization you'd end up having user names that look like AOL, though. Certainly in an educational environment I imagine a more authoritarian system would be warranted.
If you want a system that is easy for all, then using a convention on the name of the user will be helpful. You don't want to create double-duty for the admins, and a scheme where the forgetful users ask the same question about an obstructed convention.
- firstname.[middle-int.]lastname
- FirstletterLastname[year_Of_graduation]
- lastname.firstname
But if you're concerned about security, then you need to think about something else. Anytime you have a converntion system, there is always a possibility of security risk. Look at all the credit card companies, who use their algorithms to make unique numbers, that we can download code off the net to test, and create our own 'fake' numbers. So once you have a convention, there is always the potential for security risk.
If you want to ensure security, you might want to look into something like SecureID, or using time based logins, or some other stuff.
My first name is Christopher but I normally go by 'Chris'. And my last name begins with the letter, 'T'. At both my current job and my previous job, that worked out to an email address of 'Christ'.
I am rather amused by this.
Oceania has always been at war with Eastasia.
My company decided that my login wasn't good enough (set by an old standard), and changed it to fit the new standard. Unix handle it okay, but it took weeks to synchronize all the databases I use (bug reporting system, system outages reports, etc). There are still some databases that I cannot access, but I don't use them anymore and I'm tired of getting things changed. They can deal with the disk space they are taking up.
I haven't seen anyone use this yet but how about first init, last name, last 4 of phone number.
It makes it easy to remember, real hard to come up with duplicates and avoids the problems of Jeffrey Smith who "everyone calls" Jeff. As well as John T Smith and John A Smith which normally become the exceptions to the rule.
But there are still some things to take into consideration. The company I work for (or more specifically worked for before we got bought) had an employee named Pamel Enis. This is where their first init, last name convention went out the window.
The user names for students used to all start with an 's' and then 7 distincitve digits of the ID number (we have a 9-digit ID number here in Israel, first digit is always zero, last digit is checksum). Very secure scheme indeed. ;). Still, we have accounts such as 'sex', 'sexyguy', 'someone', 'site', and my personal favorite: 'sisadmin'.
However, a few years ago the system changed to allow users to pick any login of up to 8 letters starting with 's' when they open their account. They were smart enough to disallow account names starting with 'sys' (I know, I tried
Luckily, grad students are not required to start their login with an 's'.
Make even shorter URLs - 8LN.org
Assume that the person is John Doe, and their extension is #1234. Then you'd take first initial, last initial, and the extension - jd1234. Should be basically unique, and if you know the person's name and phone number, its easy to guess the email address.
I like using social security numbers. Everyone in the world has them and they're 100% unique. Plus you can use the fact that someone knows their SSN to prove that they are who they say they are.
My solution might look something like this (assuming that the employee ID is 6 digits long):
- construct nine lists of plant and animal names, 10 names in each list, total of 90 names lists
- select one plant list and one animal list using the first two digits of the ID
- select a plant name using digit 3 of the ID
- select an animal name using digit 4 of the ID
- digit 5 is used directly in the username
- use the final digit of the ID to determine how to combine the two names and the digit to form the username.
The resulting usernames (looking something like rose5dog or 3cowdaisy ) will be reasonably memorable, guaranteed unique and moderately hard to guess by a dictionary attack.If security is not a concern, however, I would go for the path of least user anoyance and let user's select their names with some feedback from the admin staff (in case the name is already in use or is, somehow, obviously offensive). I don't see any good reason why I shouldn't be able to have dutky or, at worst, jsdutky as my username (I can guarentee that I am the only J.S.Dutky on the planet, so what's the problem?)
This was doing the rounds a while back. Whether it's at all true I don't know but hey, it's funny ;-)
--------------
Many colleges and business's tend to strip the last name down to 6 characters and add the first and last initial to either the beginning or end
to make up an e-mail address. For example, Mary L. Ferguson = mlfergus or fergusml. They are just now
beginning to realize the problems that may happen when you have a large and diverse pool of people to choose from. Add to that a large database of
company/college Acronyms and you have some very funny addresses. Probably not funny to the individual involved, however:
TOP TEN Actual E-mail Addresses
10. Helen Thomas Eatons (Duke University) - eatonsht (at) dku.edu
9. Mary Ellen Dickinson (Indiana University of Pennsylvania) - dickinme (at) iup.edu
8. Francis Kevin Kissinger (Las Verdes University) - kissinfk (at) lvu.edu
7. Amanda Sue Pickering (Purdue University) - aspicker (at) pu.edu
6. Ida Beatrice Ballinger (Ball State University) - ibballin (at) bsu.edu
5. Bradley Thomas Kissering (Brady Electrical, Northern Division, Overton
Canada) - btkisser (at) bendover.com
4. Isabelle Haydon Adcock (Toys "R" Us) - ihadcock (at) tru.com
3. Martha Elizibeth Cummins (Fresno University) - cumminme (at) fu.edu
2. George David Blowmer (Drop Front Drawers & Cabinets Inc.) - blowmegd (at) dropdrawers.com
..but at No 1, it had to be...
1. Barbara Joan Beeranger (Myplace Home Decorating) - beeranbj (at) myplace.com
Greg
(Inside a nuclear plant)
Aaaarrrggh! Run! The canary has mutated!
Wrong assumption. I don't have one. Also, while it's hard to know someone else's number, it's not 100% impossible.
Maybe your concept of "the world" means "USA" or something like that?
Maybe your concept of "the world" means "USA" or something like that?
No, I was being sarcastic.
Only stupid techs who don't see the real world too often think that first initial 6 letter of last name is any good.
It is difficult for users to remember, and to cryptic for 1st level support to help with. This is a 3rd level problem that always ends up in the hands of the 2nd level tech.
You want easy?
Just use the names that their mother's gave them.
First Name Last Name - like "John Doe" instead of "jdoe" - because what if Jane worked for you?
Sure, when user names are easy to remember, it does pose a threat - both from SPAM and from unauthorized access. That's why you have to enforce a password policy. Use tools like l0phtcrack to ensure that user's passwords are difficult to hit with dictionary attacks.
And then I'd change my name to Robert O'Toole.
Taken by a lawyer.
Will I retire or break 10K?
Unfortunatly there's no easy solution.
Where I work we went through a series of mergers and takeovers a few years ago and the naming conventions got a little messy.
Originally it was set up as "last name (up to 8 chars), first initial, middle initial"; for an 10 character total length. The only problem we had was with 2 employees with long names that started out similar. I don't remember their names but one ended in "-ski" and the other ended with "-vich." Same initials, too.
After several mergers it was decided to combine the seperate email systems and go to a "first initial, middle initial, last name" (up to 12 chars). And the problems began.
First was the "Smith Problem." We had 4 Dave Smiths, all with middle initial "L" and 3 of them with the middle name of "Lee." Fortunatly one had the nickname of "Sparky" and so was SPARKYSMITH and one agreed to be known as DLSMITHUK, as he was based in the UK. The other 2 were listed as DLSMITH and DLOUISSMITH. We also had several other Smith's whose initials were the same.
This didn't just affect email, it also affected the phone directories, as management chose to have one big directory for the whole company instead of dividing it down into regions and operational areas and listing everyone by just their first and last names.
So we now have many more duplicates: 2 Dennis Millers (with the same middle name), 4 Brenda Petersens, 3 Linda Petersens, 2 Bob Pattersons, 2 Cathy Andersons (and one Kathy Anderson, very confusing), 4 Richard Andersons, 3 Mark Johnsons (and 2 of them are Mark Robert Johnson), 3 Steve Thompsons, 3 James Wilsons, 2 Alan Wrights... and those are just the duplicates I deal with on a regular basis. There are many more. It's not uncommon to have someone call the wrong person on the phone or send an email to the wrong person. Some users in frustration just send mail to ALL the users with similar names and let the recipients sort it out.
It was suggested last year we go to using the employee number for email but the execs balked at that idea. Probably because they can't remember theirs.
For now when we add a new employee whose name is similar to an existing employee we just add a number to the end of the user name, "KLJones2".
So far it's working, for email at least. Phone directory is still a mess, though.
Beta sux! Join the Slashcott! http://hardware.slashdot.org/comments.pl?sid=4760465&cid=46173047
I can say that Georgia Tech's usernaming scheme pretty much sucks. It works like this:
:)
gt<Letter assigned to the year you entered Tech. For instance, you could have entered during year 'e' or year 'g' recently><three random numbers><random letter>. Believe me, telling people that you're email address is gte172u got a lot of strange looks amongst my non-Tech friends. Of course, my Tech friends just nod, knowingly.
"Which is more musical: a truck passing by a factory or a truck passing by a music school?" - John Cage
I have worked at six companies, ranging from 3 - 250 employees. We have all used first initial, last name without many problems. Obviously, you have to get a little creative to resolve collisions. Also, the first ten or so people at a startup typically horn into getting their first names as logins.
The caveat is that NIS has a maximum username length of 8 characters, which sucks. If you are using NIS, keep this in mind.
At the university I work at we use first initial then last name. If there are multiple people with that same first initial, last name they start tacking on numbers to the end. I haven't heard of this being a security problem even though it very predictable.
FoundNews.com - get paid to blog.,
i like user choice. i would have picked my last name, or my first intial at last name, but instead i got my initials followed by three increment digits. it would be quite nice to be able to choose and just giving choice based on first come-first serve. in a university with over 40,000 people, i would still get first initial + middle initial + last name, although we do have a first-come-first serve email aliasing system, so for example the first smith to register gets smith@, there are also firstname.lastname@, firstinitial.lastname@, etc. so the first john thomas smith can get mail at smith, j.smith, john.smith, j.t.smith, john.t.smith, and probably many otherthings. i have decided that i will now put firstinitial.middleinitial.lastname on my resume b/c it looks nicer and easier. the even more annoying things is that people who work as computer admins get whatevertheywant@, although they disabled that as of last year, so although i just got hired, i still have to settle for my initials and random digits as my login, although i can now use a much nicer email alias. oh well...it would probably be hard to transition with so many users in place already. i will bring it up to my boss, though...
Both at uni and my current employer, it's just firstnamelastname. No length limits, no remembering combinations of character limits, and no collisions so far as you can have the same username in different OUs and it couldn't care less. Chances of having two people with the same name in the same office (each 100 users max) is exceedingly low. At uni they used an OU per entry year per department.
:)
Find it hard to believe that people still run systems with 8-character limits on usernames, yet use the micros~1 gag
Read FAQ, idiot.
Why doesn't Slashdotsucks redirect to Adequacy anymore??? Change it back, DILDO.
Take:
1. The first syllable of your first name
2. The make of car you drive
3. The last prescription medicine you took
Sincerely,
- Jef-Audi Guaifenesin