User Naming Practices?

Kymermosst asks: "Recently, this post was made to comp.sys.sun.misc, and sparked a large debate on the subject of usernames. What standardized user-naming schemes are used out in the 'real world,' if any? Has any company's scheme become a security risk due to its predictability? Were any benefits gained by using any particular system?"

Options

[sydb]

Employee number. Benefits: Unique, ties into company systems. Drawbacks: Difficult to remember (especially if your not the relevant employee).

Some combo of the employees name: e.g. initialsurname: mpacey (me). Benefits: Easy to remember, even if your not the employee. Drawbacks: duplicates - jsmith (though you can always have jsmith001-999.

I know of no other systems that I'd consider useful for large numbers of users.

sequential is a bad idea

[linuxbert]

A community Freenet i am a member of uses sequential userid's in the aa001-zz999. it becomes really easy to spam members as all you have to do is vrite a looping incramental script and you can hit 60,000+ id's

at work im the first 6 chars of my last name 1st initial. it works, except for the boogerj@.. :)

the age old debate ...

[reaper20]

We use a combination of first.last, first 6 from last name then first initial, and, first.MI.last.

They all suck, I like Jedi names, first three of last name, and then the first two of the first name. Works remarkably well.

Our system

Until recently my company had firstname_lastname, which was pretty annoying in many instances (such as email forms that did not allow _, or the fact that our Blackberries only have _ in the special characters section). Recently we switched over to firstname.lastname. Ready for the scary part? In the event of a clash, they go to firstname-middleinitial.lastname. So your email really could be john-p.smith@blahblah. Ewwww. Why they couldn't use .middleinitial. is beyond me.

Eons ago (1997 ish) I helped my company get internet email. We went with first letter+lastname. Except for this lady "Sridevi Sureshbabu", we thought it would be a little awkward for her to type ssureshb (Lotus having an 8char limit) so we just made her name sridevi. Sure enough, she complained that her name was different from everybody else's. Most geeks I know these days used to consider having just firstname@company.com be a badge of honor!

Re:Our system

[Permission+Denied]

firstname_lastname, which was pretty annoying in many instances (such as email forms that did not allow _, ...)

This is highly annoying.

We have a very cool sendmail setup - it interfaces with our directory database, so, while my username is "flastnam" (first initial, first seven of last name), I get mail to f-lastname@, first-lastname@, first.lastname@, lastname@, etc. Ambguities are solved by bouncing the email, with a friendly message explaining exactly how our system works.

We have another neat feature with our sendmail setup - you can append a plus sign and any arbitrary string to the username part of your email address. So, Sybase thinks I'm lastname+sybase@domain.com, Amazon thinks I'm lastname+amazon@domain.com, etc. I now get zero spam and even I've caught one company selling my email address (and that email address was promptly procmailed away, for good).

The annoying part? Stupid, idiotic web programmers who've never heard of rfc822. They don't think the plus sign is a valid character for an email address. In actuality, an email address can contain almost anything except '@', a '%' or a '!'. Yes, email addresses can even contain spaces if you quote them: "FirstName LastName"@domain.com is a perfectly valid email address. For some reason, these web programmers write their regular expressions to only include certain characters, rather than to exclude the illegal characters. To these web programmers, I say: read rfc793, especially section 2.10. Your "security" principals are unsound: you shouldn't be passing any user input to anything that might interpret it as a shell command (can happen in perl if you're not careful), and SQL statement (happens in a lot of php code that I see that doesn't use addcslashes() or friends), or be putting your user input anywhere near an unchecked buffer (poorly-written C programs).

But enough of the rant. The non-rant portion of this message is that you might want to investigate separating your email address namespace and your username namespace. We do this, and it's quite nice.

some schemes i've seen....

[jeffy124]

-my school uses initials + two digits (William J Clinton -> wjc33)
-the CS dept systems use [u|g] (meaning undergrad or grad) + first initial, lastname, max N chars (uwclinto, uwclint2)
-there's the popular first initial, last name, digits as appropiate, up to N chars (wclinton, wclinto2)
-i've also seen first initial, middle initial, last name (all up to 6 chars), then a 2 digit number as appropriate (wjclin, wjclin2, wjclin11)

I've never seen first.m.last as login names in actual practice. I have seen them used as aliases for email addressing, but not the actual loginname.

as for which is the best scheme, it really depends on the size of the organization, IMO, and the size limit on the username field. If anything, that size limit will be what makes it tough.

As for usernames causing a potential security risk, one thing you can do is disable direct root login (ie, require su, even at the console), then log who's using su.

Under NT, disable "Administrator" login, and give an alternate loginname administrator rights. (note: I'm not sure if this can actually be done)

Lastly, always change default passwds and, if appropriate, disable guest logins.

CDC

[rubinson]

My girlfriend used to work for the CDC in Atlanta; my stepmother still does. They use one of the more bizarre naming conventions that I've seen: inital letter of first name, random middle initial, initial letter of last name, increment number.

This works fairly well for my stepmother who doesn't have a middle name. She became "dxh4 at cdc.gov." For years I thought that they gave her an "x" because she doesn't have a middle name.

I learned differently when my girlfriend -- Nisha Bipin Gandhi -- became a nag. Specifically, "nag3 at cdc.gov." Needless to say, she got a lot of teasing for that - especially from me.

They've recently started assigning more reasonable email address based upon initial letter of first name and last name but all of the old user names are still floating around.

My school did this.

[smcv]

They refused to give out usernames and passwords until we'd handed in a signed "I will not abuse these computers" form (signed by student if 18+ and able to sign legally binding documents, parent otherwise). Unfortunately, the usernames were (first initial)(last name) (e.g. jsmith) and the passwords were generated in a deterministic way from (IIRC) username + year of entry.

One of my friends only got round to handing the form in 6 months later, when the IT department noticed he'd never done so despite the fact that he'd logged in with his "secret" password and changed it rather quickly, then checked his mail daily :-)

Another dumb IT department, at my previous school, handed out numeric (4-digit) passwords, which we couldn't change (we were locked out of the relevant Control Panel applet - this was on Win95 + MS Notworking). Someone happened to notice that they seemed to go up in alphabetical order, and put 2 and 2 together - it turned out they were our pupil numbers, as printed next to our names on the register. Since in my class the pupils did the register more often than the teacher (he taught Art, what can I say), that wasn't a great plan.

Re:I have the answer.

[Rick+the+Red]

Yeah, major security boo-boo. I worked at a place that used your initals plus the last for digits of SSN. It daily re-affirmed that workers are no more than a number to them. Working there felt like THX1138 without the drugs.