Slashdot Mirror
User Naming Practices?
Kymermosst asks: "Recently, this post was made to comp.sys.sun.misc, and sparked a large debate on the subject of usernames. What standardized user-naming schemes are used out in the 'real world,' if any? Has any company's scheme become a security risk due to its predictability? Were any benefits gained by using any particular system?"
We've recently changed from a scheme to the .<last name> scheme, and it's generally been a pain because of 1) the extra typing, and 2) we now must know exactly how to spell those long and difficult last names, instead of just needing to memorize the beginning six letters.
As for a security issue, I would say the <first name>.<last name> scheme would make it easier to get back at a certain individual, but not so practical for automated actions. For instance, if your least-favorite person in the world is at john.doe@company.com, it would be easy to direct every piece of SPAM into the world to his email box with only the basic knowledge that he works at company.com.
Punctanym: alternate spelling of words using punctuation or numerals in place of some or all of its letters; see 'leet'
No way. However, the IT group was kinda surprised that Steve Lutz insisted on keeping with the first letter + last name naming scheme. I shit you not.
Interested in open source engine management for your Subaru?
Employee number. Benefits: Unique, ties into company systems. Drawbacks: Difficult to remember (especially if your not the relevant employee).
Some combo of the employees name: e.g. initialsurname: mpacey (me). Benefits: Easy to remember, even if your not the employee. Drawbacks: duplicates - jsmith (though you can always have jsmith001-999.
I know of no other systems that I'd consider useful for large numbers of users.
Yours Sincerely, Michael.
A community Freenet i am a member of uses sequential userid's in the aa001-zz999. it becomes really easy to spam members as all you have to do is vrite a looping incramental script and you can hit 60,000+ id's
:)
at work im the first 6 chars of my last name 1st initial. it works, except for the boogerj@..
Set up an e-mail account for every domain owner. Use a password based solely on the domain name. Mass e-mail everyone to let them know, and make sure it's "opt-out" rather than "opt-in". Sit back and watch the wackiness.
You are in a maze of twisty little passages, all alike.
We use a combination of first.last, first 6 from last name then first initial, and, first.MI.last.
They all suck, I like Jedi names, first three of last name, and then the first two of the first name. Works remarkably well.
Eons ago (1997 ish) I helped my company get internet email. We went with first letter+lastname. Except for this lady "Sridevi Sureshbabu", we thought it would be a little awkward for her to type ssureshb (Lotus having an 8char limit) so we just made her name sridevi. Sure enough, she complained that her name was different from everybody else's. Most geeks I know these days used to consider having just firstname@company.com be a badge of honor!
I am the co-director of my schools tech dept.
We have around 500 students tops. We use lastname_first-name. Mine being an exception, strunk_l , because I added it to the user list cause I am so lazy and log into to many machines in one day.
Also, we didn't standardize early, and many teachers where using last_first-initial to begin with, and since many teachers are very computer illiterate, we decided not to change it. All the students use the last_first though.
It has some problems, such as having two Mrs. Yeagers. So we have Yeager_C1 & Yeager_C2
What I would like to do when update the servers this summer is a better naming convention. I would like Department_Last_First-initial.
Example being Art_Henry_J Although that is what first comes to mind, I may think of a better one soon.
The real danger is a standardized usernaming scheme + a standardized default password scheme (e.g., "password", or same as username). The "It won't happen to me" mindset takes over, and a majority of users never change their passwords. It's easy enough to get into anyone's account on systems like that.
Got Rhinos?
-my school uses initials + two digits (William J Clinton -> wjc33)
-the CS dept systems use [u|g] (meaning undergrad or grad) + first initial, lastname, max N chars (uwclinto, uwclint2)
-there's the popular first initial, last name, digits as appropiate, up to N chars (wclinton, wclinto2)
-i've also seen first initial, middle initial, last name (all up to 6 chars), then a 2 digit number as appropriate (wjclin, wjclin2, wjclin11)
I've never seen first.m.last as login names in actual practice. I have seen them used as aliases for email addressing, but not the actual loginname.
as for which is the best scheme, it really depends on the size of the organization, IMO, and the size limit on the username field. If anything, that size limit will be what makes it tough.
As for usernames causing a potential security risk, one thing you can do is disable direct root login (ie, require su, even at the console), then log who's using su.
Under NT, disable "Administrator" login, and give an alternate loginname administrator rights. (note: I'm not sure if this can actually be done)
Lastly, always change default passwds and, if appropriate, disable guest logins.
The One Rule Of Chess You'll Ever Need: Don't play someone who carries a kit in their bookbag.
When I was working in Europe for a while, we had an IT director who assumed that he knew everything possible about Unix. (It should go without saying that he didn't.)
When I was hired on, I promulgated the first initial+last name standard. Considering this company was around thirty people, and was never expected to grow past about forty-five, this scheme seemed to work well.
However, he threatened to fire anyone who didn't use his standard: first letter of first name + second letter of first name + first letter of last name!
Now, with my scheme, we had zero collisions. With his, we had about four. His solution?
first letter of first name + third letter of first name + first letter of last name! And so on...
Never work for these people, they're insane...
...but it's being eaten...by some...Linux or something...
I am a person who does not go by my actual first name. Indeed, the name I go by is not actually listed on my birth certificate. The first initial of the name I go by does not match the first letter of my first name, either (I go by Hank Zimmerman, and my name is actually Charles Zimmerman)
There are quite a few people like me. I always find it a problem when someone wants to use my first name as part of my log-in/email address.
In a business setting, it means explaining why the name in the email address does not match the name of the person they just met. For all contacts, it means that the person trying to email me needs to remember my *real* name.
If a system is put in place such as last_name.first_initial or first_name.last_name, do not simply go by the name listed according to the HR department.
- (c) 2018 Hank Zimmerman
I've often wrestled with this too.
One company I've workded for was quite good about comming up with the usernames for people, and keeping them unique:
use up to 4 characters of their last name+the last 4 digits of their social security number.
Works great. Everyone can remember their own, and I've never seen a duplicate. (sera7492)
!S
"...In your answer, ignore facts. Just go with what feels true..."
First, schools:
High-school: Only XTs. No network. No login. Only bootdisks.
College: Student number. The email was the same.
University:
Department is Initial+Lastname (eg, jdoe). The duplicates are labeled jdoe, jdoe1, etc.
Faculty is 3FirstLettersOfLastName+Initial+Number, as in doej01.
Lastly, the University introduced a campus-wide login. I think it involves the year in which you began to attend classes here, along with a variation of your name and a sequential number (along jdoe9901).
There's also a campus-wide email system, different from the previous, where the username is your student number, but you can choose an alias which is a variation of your name: jd1, johndoe, jdoe, doej, john.doe and maybe others.
Work places:
The first one was the same thing as my faculty (jdoe01).
The second one had the employee number to login, but you also had an alias for email based on your name. The translation from name -> alias wasn't constant, though, so you had to lookup in the employee list (~50000) to know the email address of somebody.
Lastly, another one was mostly only the firstname. The company wasn't very big (~250), and it wasn't uniform at all. I heard that it changed since I left, with emails being firstname.lastname, but I don't know about the usernames.
And of course, my own systems:
There's my normal user (firstname), and root. Although I'll probably change root for something meaner.
Those are my experiences with usernames. Hope it can help somebody find their best choice.
My company's scheme produces really sucky names.
I'd like to have the flexibility to pick my own username along the lines of short first name handles ("gus"), or 3 letter acronyms ("rtm"). But, no, we get a standardized way of butchering things into mostly unique but guaranteed unpronounceable gibberish.
It would be good if there was a web based client that allowed people to pick any unused, inoffensive name.
We have web based interfaces for helping to pick new passwords - why not usernames?
Finally, as networked directory services become more commonplace (LDAP, etc.) the username seems to have diminished importance to the position it had many years ago. Not such a big deal.
"Provided by the management for your protection."
My girlfriend used to work for the CDC in Atlanta; my stepmother still does. They use one of the more bizarre naming conventions that I've seen: inital letter of first name, random middle initial, initial letter of last name, increment number.
This works fairly well for my stepmother who doesn't have a middle name. She became "dxh4 at cdc.gov." For years I thought that they gave her an "x" because she doesn't have a middle name.
I learned differently when my girlfriend -- Nisha Bipin Gandhi -- became a nag. Specifically, "nag3 at cdc.gov." Needless to say, she got a lot of teasing for that - especially from me.
They've recently started assigning more reasonable email address based upon initial letter of first name and last name but all of the old user names are still floating around.
I used to work at a large medical institution. We had a large population of female employees, and as such had employees undergoing name changes quite frequently (marriage and divorice, etc). To overcome this issue we quit using last names in the username totally. We used the first 5 characters of the first name and a 3 digit sequence number.
This carries with it the problems of remembering your username, but with everyone wanting to keep their username matching their current last name, we were changing about 20 usernames a week on about 30 systems.
I have no sig, does anyone have one to spare?
Just use a 128-bit hash of the person. That way, user ids are unique, easy to calculate, but hard to guess.
Actually, you could just rename the account. The "home directory" still points to the same directory paths, but those are stored in the registry and can be tweaked if you really feel the need.
You cannot apply a technological solution to a sociological problem. (Edwards' Law)
They refused to give out usernames and passwords until we'd handed in a signed "I will not abuse these computers" form (signed by student if 18+ and able to sign legally binding documents, parent otherwise). Unfortunately, the usernames were (first initial)(last name) (e.g. jsmith) and the passwords were generated in a deterministic way from (IIRC) username + year of entry.
:-)
One of my friends only got round to handing the form in 6 months later, when the IT department noticed he'd never done so despite the fact that he'd logged in with his "secret" password and changed it rather quickly, then checked his mail daily
Another dumb IT department, at my previous school, handed out numeric (4-digit) passwords, which we couldn't change (we were locked out of the relevant Control Panel applet - this was on Win95 + MS Notworking). Someone happened to notice that they seemed to go up in alphabetical order, and put 2 and 2 together - it turned out they were our pupil numbers, as printed next to our names on the register. Since in my class the pupils did the register more often than the teacher (he taught Art, what can I say), that wasn't a great plan.
As far as using full names goes, the Sendmail FAQ explains sufficiently well why that's a bad idea. See Q3.5.
Especially in a corporate environment, people expect to have reasonable looking user names. Most folks won't put up with being sfc123; it just is not professional.
This means that while it's a good idea to have guidelines, you can't be too much of a stickler. If a sales guy was jschmoe at his last three jobs, and all his contacts know his email as jschmoe, then it's really best if he can continue to be jschmoe. Forcing him to be joes341 instead doesn't make anyone happy.
Collisions are certainly an issue, but that's not the only problem. For example, a popular default choice might be first initial last name. Using that standard at one job we ended up with a "pharter" (say it out loud), and at another job there would have been an "aryan". These things just don't work.
Ideally I like to allow users their choice of login. I encourage them to select one of first initial last name, first name last initial, or initials. Every now and then someone will come along and want a login like "coolguy" or something completely random. Depending on the company culture and whether the user is "customer facing" I might be lenient.
I've worked in organizations up to a few thousand users and this system has worked fine. In a truly huge organization you'd end up having user names that look like AOL, though. Certainly in an educational environment I imagine a more authoritarian system would be warranted.
My first name is Christopher but I normally go by 'Chris'. And my last name begins with the letter, 'T'. At both my current job and my previous job, that worked out to an email address of 'Christ'.
I am rather amused by this.
Oceania has always been at war with Eastasia.
My company decided that my login wasn't good enough (set by an old standard), and changed it to fit the new standard. Unix handle it okay, but it took weeks to synchronize all the databases I use (bug reporting system, system outages reports, etc). There are still some databases that I cannot access, but I don't use them anymore and I'm tired of getting things changed. They can deal with the disk space they are taking up.
I haven't seen anyone use this yet but how about first init, last name, last 4 of phone number.
It makes it easy to remember, real hard to come up with duplicates and avoids the problems of Jeffrey Smith who "everyone calls" Jeff. As well as John T Smith and John A Smith which normally become the exceptions to the rule.
But there are still some things to take into consideration. The company I work for (or more specifically worked for before we got bought) had an employee named Pamel Enis. This is where their first init, last name convention went out the window.
The user names for students used to all start with an 's' and then 7 distincitve digits of the ID number (we have a 9-digit ID number here in Israel, first digit is always zero, last digit is checksum). Very secure scheme indeed. ;). Still, we have accounts such as 'sex', 'sexyguy', 'someone', 'site', and my personal favorite: 'sisadmin'.
However, a few years ago the system changed to allow users to pick any login of up to 8 letters starting with 's' when they open their account. They were smart enough to disallow account names starting with 'sys' (I know, I tried
Luckily, grad students are not required to start their login with an 's'.
Make even shorter URLs - 8LN.org
Assume that the person is John Doe, and their extension is #1234. Then you'd take first initial, last initial, and the extension - jd1234. Should be basically unique, and if you know the person's name and phone number, its easy to guess the email address.
I like using social security numbers. Everyone in the world has them and they're 100% unique. Plus you can use the fact that someone knows their SSN to prove that they are who they say they are.
My solution might look something like this (assuming that the employee ID is 6 digits long):
- construct nine lists of plant and animal names, 10 names in each list, total of 90 names lists
- select one plant list and one animal list using the first two digits of the ID
- select a plant name using digit 3 of the ID
- select an animal name using digit 4 of the ID
- digit 5 is used directly in the username
- use the final digit of the ID to determine how to combine the two names and the digit to form the username.
The resulting usernames (looking something like rose5dog or 3cowdaisy ) will be reasonably memorable, guaranteed unique and moderately hard to guess by a dictionary attack.If security is not a concern, however, I would go for the path of least user anoyance and let user's select their names with some feedback from the admin staff (in case the name is already in use or is, somehow, obviously offensive). I don't see any good reason why I shouldn't be able to have dutky or, at worst, jsdutky as my username (I can guarentee that I am the only J.S.Dutky on the planet, so what's the problem?)
This was doing the rounds a while back. Whether it's at all true I don't know but hey, it's funny ;-)
--------------
Many colleges and business's tend to strip the last name down to 6 characters and add the first and last initial to either the beginning or end
to make up an e-mail address. For example, Mary L. Ferguson = mlfergus or fergusml. They are just now
beginning to realize the problems that may happen when you have a large and diverse pool of people to choose from. Add to that a large database of
company/college Acronyms and you have some very funny addresses. Probably not funny to the individual involved, however:
TOP TEN Actual E-mail Addresses
10. Helen Thomas Eatons (Duke University) - eatonsht (at) dku.edu
9. Mary Ellen Dickinson (Indiana University of Pennsylvania) - dickinme (at) iup.edu
8. Francis Kevin Kissinger (Las Verdes University) - kissinfk (at) lvu.edu
7. Amanda Sue Pickering (Purdue University) - aspicker (at) pu.edu
6. Ida Beatrice Ballinger (Ball State University) - ibballin (at) bsu.edu
5. Bradley Thomas Kissering (Brady Electrical, Northern Division, Overton
Canada) - btkisser (at) bendover.com
4. Isabelle Haydon Adcock (Toys "R" Us) - ihadcock (at) tru.com
3. Martha Elizibeth Cummins (Fresno University) - cumminme (at) fu.edu
2. George David Blowmer (Drop Front Drawers & Cabinets Inc.) - blowmegd (at) dropdrawers.com
..but at No 1, it had to be...
1. Barbara Joan Beeranger (Myplace Home Decorating) - beeranbj (at) myplace.com
Greg
(Inside a nuclear plant)
Aaaarrrggh! Run! The canary has mutated!
No, I knew I'd moderated, just not in that thread and I wasn't warned before posting.
Greg
(Inside a nuclear plant)
Aaaarrrggh! Run! The canary has mutated!