Slashdot Mirror
User Naming Practices?
Kymermosst asks: "Recently, this post was made to comp.sys.sun.misc, and sparked a large debate on the subject of usernames. What standardized user-naming schemes are used out in the 'real world,' if any? Has any company's scheme become a security risk due to its predictability? Were any benefits gained by using any particular system?"
We use a combination of first.last, first 6 from last name then first initial, and, first.MI.last.
They all suck, I like Jedi names, first three of last name, and then the first two of the first name. Works remarkably well.
My girlfriend used to work for the CDC in Atlanta; my stepmother still does. They use one of the more bizarre naming conventions that I've seen: inital letter of first name, random middle initial, initial letter of last name, increment number.
This works fairly well for my stepmother who doesn't have a middle name. She became "dxh4 at cdc.gov." For years I thought that they gave her an "x" because she doesn't have a middle name.
I learned differently when my girlfriend -- Nisha Bipin Gandhi -- became a nag. Specifically, "nag3 at cdc.gov." Needless to say, she got a lot of teasing for that - especially from me.
They've recently started assigning more reasonable email address based upon initial letter of first name and last name but all of the old user names are still floating around.
This is highly annoying.
We have a very cool sendmail setup - it interfaces with our directory database, so, while my username is "flastnam" (first initial, first seven of last name), I get mail to f-lastname@, first-lastname@, first.lastname@, lastname@, etc. Ambguities are solved by bouncing the email, with a friendly message explaining exactly how our system works.
We have another neat feature with our sendmail setup - you can append a plus sign and any arbitrary string to the username part of your email address. So, Sybase thinks I'm lastname+sybase@domain.com, Amazon thinks I'm lastname+amazon@domain.com, etc. I now get zero spam and even I've caught one company selling my email address (and that email address was promptly procmailed away, for good).
The annoying part? Stupid, idiotic web programmers who've never heard of rfc822. They don't think the plus sign is a valid character for an email address. In actuality, an email address can contain almost anything except '@', a '%' or a '!'. Yes, email addresses can even contain spaces if you quote them: "FirstName LastName"@domain.com is a perfectly valid email address. For some reason, these web programmers write their regular expressions to only include certain characters, rather than to exclude the illegal characters. To these web programmers, I say: read rfc793, especially section 2.10. Your "security" principals are unsound: you shouldn't be passing any user input to anything that might interpret it as a shell command (can happen in perl if you're not careful), and SQL statement (happens in a lot of php code that I see that doesn't use addcslashes() or friends), or be putting your user input anywhere near an unchecked buffer (poorly-written C programs).
But enough of the rant. The non-rant portion of this message is that you might want to investigate separating your email address namespace and your username namespace. We do this, and it's quite nice.