Slashdot Mirror
User Naming Practices?
Kymermosst asks: "Recently, this post was made to comp.sys.sun.misc, and sparked a large debate on the subject of usernames. What standardized user-naming schemes are used out in the 'real world,' if any? Has any company's scheme become a security risk due to its predictability? Were any benefits gained by using any particular system?"
We've recently changed from a scheme to the .<last name> scheme, and it's generally been a pain because of 1) the extra typing, and 2) we now must know exactly how to spell those long and difficult last names, instead of just needing to memorize the beginning six letters.
As for a security issue, I would say the <first name>.<last name> scheme would make it easier to get back at a certain individual, but not so practical for automated actions. For instance, if your least-favorite person in the world is at john.doe@company.com, it would be easy to direct every piece of SPAM into the world to his email box with only the basic knowledge that he works at company.com.
Punctanym: alternate spelling of words using punctuation or numerals in place of some or all of its letters; see 'leet'
The real danger is a standardized usernaming scheme + a standardized default password scheme (e.g., "password", or same as username). The "It won't happen to me" mindset takes over, and a majority of users never change their passwords. It's easy enough to get into anyone's account on systems like that.
Got Rhinos?
I am a person who does not go by my actual first name. Indeed, the name I go by is not actually listed on my birth certificate. The first initial of the name I go by does not match the first letter of my first name, either (I go by Hank Zimmerman, and my name is actually Charles Zimmerman)
There are quite a few people like me. I always find it a problem when someone wants to use my first name as part of my log-in/email address.
In a business setting, it means explaining why the name in the email address does not match the name of the person they just met. For all contacts, it means that the person trying to email me needs to remember my *real* name.
If a system is put in place such as last_name.first_initial or first_name.last_name, do not simply go by the name listed according to the HR department.
- (c) 2018 Hank Zimmerman
I used to work at a large medical institution. We had a large population of female employees, and as such had employees undergoing name changes quite frequently (marriage and divorice, etc). To overcome this issue we quit using last names in the username totally. We used the first 5 characters of the first name and a 3 digit sequence number.
This carries with it the problems of remembering your username, but with everyone wanting to keep their username matching their current last name, we were changing about 20 usernames a week on about 30 systems.
I have no sig, does anyone have one to spare?
There are a lot of places which use the last four digits of the SSN for identity verification. I'm not sure I'd like to have it be part of something as public as my email address.
As far as using full names goes, the Sendmail FAQ explains sufficiently well why that's a bad idea. See Q3.5.
Especially in a corporate environment, people expect to have reasonable looking user names. Most folks won't put up with being sfc123; it just is not professional.
This means that while it's a good idea to have guidelines, you can't be too much of a stickler. If a sales guy was jschmoe at his last three jobs, and all his contacts know his email as jschmoe, then it's really best if he can continue to be jschmoe. Forcing him to be joes341 instead doesn't make anyone happy.
Collisions are certainly an issue, but that's not the only problem. For example, a popular default choice might be first initial last name. Using that standard at one job we ended up with a "pharter" (say it out loud), and at another job there would have been an "aryan". These things just don't work.
Ideally I like to allow users their choice of login. I encourage them to select one of first initial last name, first name last initial, or initials. Every now and then someone will come along and want a login like "coolguy" or something completely random. Depending on the company culture and whether the user is "customer facing" I might be lenient.
I've worked in organizations up to a few thousand users and this system has worked fine. In a truly huge organization you'd end up having user names that look like AOL, though. Certainly in an educational environment I imagine a more authoritarian system would be warranted.
Well... I for one need to read rfc793 (and any related rfcs), but its is far better ot include only certain characters than to exclude illegal characters for the simple reason that in the event of not including a necessary character, it is easy to fix, when users start bitching. But if you forget to exclude an illegal character, the usual way of finding that out is when your server gets hax0red.
Need a Catering Connection