User Naming Practices?

← Back to Stories (view on slashdot.org)

Posted by Cliff on Monday May 13, 2002 @06:30AM from the mangling-yer-moniker dept.

Kymermosst asks: "Recently, this post was made to comp.sys.sun.misc, and sparked a large debate on the subject of usernames. What standardized user-naming schemes are used out in the 'real world,' if any? Has any company's scheme become a security risk due to its predictability? Were any benefits gained by using any particular system?"

13 of 109 comments (clear)

Min score:

Reason:

Sort:

Security risk? by bconway · 2002-05-13 06:42 · Score: 5, Funny

No way. However, the IT group was kinda surprised that Steve Lutz insisted on keeping with the first letter + last name naming scheme. I shit you not.

--
Interested in open source engine management for your Subaru?
the age old debate ... by reaper20 · 2002-05-13 06:45 · Score: 4, Interesting

We use a combination of first.last, first 6 from last name then first initial, and, first.MI.last.

They all suck, I like Jedi names, first three of last name, and then the first two of the first name. Works remarkably well.
Passwords by zpengo · 2002-05-13 06:52 · Score: 5, Insightful

The real danger is a standardized usernaming scheme + a standardized default password scheme (e.g., "password", or same as username). The "It won't happen to me" mindset takes over, and a majority of users never change their passwords. It's easy enough to get into anyone's account on systems like that.

--

Got Rhinos?
How NOT to do it by Dimwit · 2002-05-13 06:59 · Score: 5, Funny

When I was working in Europe for a while, we had an IT director who assumed that he knew everything possible about Unix. (It should go without saying that he didn't.)

When I was hired on, I promulgated the first initial+last name standard. Considering this company was around thirty people, and was never expected to grow past about forty-five, this scheme seemed to work well.

However, he threatened to fire anyone who didn't use his standard: first letter of first name + second letter of first name + first letter of last name!

Now, with my scheme, we had zero collisions. With his, we had about four. His solution?

first letter of first name + third letter of first name + first letter of last name! And so on...

Never work for these people, they're insane...

--
...but it's being eaten...by some...Linux or something...
I have the answer. by His+name+cannot+be+s · 2002-05-13 07:13 · Score: 4, Informative

I've often wrestled with this too.

One company I've workded for was quite good about comming up with the usernames for people, and keeping them unique:

use up to 4 characters of their last name+the last 4 digits of their social security number.

Works great. Everyone can remember their own, and I've never seen a duplicate. (sera7492)

!S

--
"...In your answer, ignore facts. Just go with what feels true..."
1. Re:I have the answer. by Anonymous Coward · 2002-05-13 07:26 · Score: 4, Insightful
  
  use up to 4 characters of their last name+the last 4 digits of their social security number.
  
  There are a lot of places which use the last four digits of the SSN for identity verification. I'm not sure I'd like to have it be part of something as public as my email address.
CDC by rubinson · 2002-05-13 07:16 · Score: 5, Interesting

My girlfriend used to work for the CDC in Atlanta; my stepmother still does. They use one of the more bizarre naming conventions that I've seen: inital letter of first name, random middle initial, initial letter of last name, increment number.

This works fairly well for my stepmother who doesn't have a middle name. She became "dxh4 at cdc.gov." For years I thought that they gave her an "x" because she doesn't have a middle name.

I learned differently when my girlfriend -- Nisha Bipin Gandhi -- became a nag. Specifically, "nag3 at cdc.gov." Needless to say, she got a lot of teasing for that - especially from me.

They've recently started assigning more reasonable email address based upon initial letter of first name and last name but all of the old user names are still floating around.
Just... by Tom7 · 2002-05-13 07:46 · Score: 5, Funny

Just use a 128-bit hash of the person. That way, user ids are unique, easy to calculate, but hard to guess.
Any system has to be flexible by sclatter · 2002-05-13 07:57 · Score: 4, Insightful

As far as using full names goes, the Sendmail FAQ explains sufficiently well why that's a bad idea. See Q3.5.

Especially in a corporate environment, people expect to have reasonable looking user names. Most folks won't put up with being sfc123; it just is not professional.

This means that while it's a good idea to have guidelines, you can't be too much of a stickler. If a sales guy was jschmoe at his last three jobs, and all his contacts know his email as jschmoe, then it's really best if he can continue to be jschmoe. Forcing him to be joes341 instead doesn't make anyone happy.

Collisions are certainly an issue, but that's not the only problem. For example, a popular default choice might be first initial last name. Using that standard at one job we ended up with a "pharter" (say it out loud), and at another job there would have been an "aryan". These things just don't work.

Ideally I like to allow users their choice of login. I encourage them to select one of first initial last name, first name last initial, or initials. Every now and then someone will come along and want a login like "coolguy" or something completely random. Depending on the company culture and whether the user is "customer facing" I might be lenient.

I've worked in organizations up to a few thousand users and this system has worked fine. In a truly huge organization you'd end up having user names that look like AOL, though. Certainly in an educational environment I imagine a more authoritarian system would be warranted.
Christ by yamla · 2002-05-13 08:23 · Score: 4, Funny

My first name is Christopher but I normally go by 'Chris'. And my last name begins with the letter, 'T'. At both my current job and my previous job, that worked out to an email address of 'Christ'.

I am rather amused by this.

--

Oceania has always been at war with Eastasia.
Re:Our system by Permission+Denied · 2002-05-13 08:34 · Score: 5, Interesting

firstname_lastname, which was pretty annoying in many instances (such as email forms that did not allow _, ...)
This is highly annoying.
We have a very cool sendmail setup - it interfaces with our directory database, so, while my username is "flastnam" (first initial, first seven of last name), I get mail to f-lastname@, first-lastname@, first.lastname@, lastname@, etc. Ambguities are solved by bouncing the email, with a friendly message explaining exactly how our system works.
We have another neat feature with our sendmail setup - you can append a plus sign and any arbitrary string to the username part of your email address. So, Sybase thinks I'm lastname+sybase@domain.com, Amazon thinks I'm lastname+amazon@domain.com, etc. I now get zero spam and even I've caught one company selling my email address (and that email address was promptly procmailed away, for good).
The annoying part? Stupid, idiotic web programmers who've never heard of rfc822. They don't think the plus sign is a valid character for an email address. In actuality, an email address can contain almost anything except '@', a '%' or a '!'. Yes, email addresses can even contain spaces if you quote them: "FirstName LastName"@domain.com is a perfectly valid email address. For some reason, these web programmers write their regular expressions to only include certain characters, rather than to exclude the illegal characters. To these web programmers, I say: read rfc793, especially section 2.10. Your "security" principals are unsound: you shouldn't be passing any user input to anything that might interpret it as a shell command (can happen in perl if you're not careful), and SQL statement (happens in a lot of php code that I see that doesn't use addcslashes() or friends), or be putting your user input anywhere near an unchecked buffer (poorly-written C programs).
But enough of the rant. The non-rant portion of this message is that you might want to investigate separating your email address namespace and your username namespace. We do this, and it's quite nice.
SSNs! by anthony_dipierro · 2002-05-13 10:50 · Score: 4, Funny

I like using social security numbers. Everyone in the world has them and they're 100% unique. Plus you can use the fact that someone knows their SSN to prove that they are who they say they are.
Apparently real e-mail addresses by GregWebb · 2002-05-13 11:51 · Score: 5, Funny

This was doing the rounds a while back. Whether it's at all true I don't know but hey, it's funny ;-)

--------------

Many colleges and business's tend to strip the last name down to 6 characters and add the first and last initial to either the beginning or end
to make up an e-mail address. For example, Mary L. Ferguson = mlfergus or fergusml. They are just now
beginning to realize the problems that may happen when you have a large and diverse pool of people to choose from. Add to that a large database of
company/college Acronyms and you have some very funny addresses. Probably not funny to the individual involved, however:

TOP TEN Actual E-mail Addresses
10. Helen Thomas Eatons (Duke University) - eatonsht (at) dku.edu
9. Mary Ellen Dickinson (Indiana University of Pennsylvania) - dickinme (at) iup.edu
8. Francis Kevin Kissinger (Las Verdes University) - kissinfk (at) lvu.edu
7. Amanda Sue Pickering (Purdue University) - aspicker (at) pu.edu
6. Ida Beatrice Ballinger (Ball State University) - ibballin (at) bsu.edu
5. Bradley Thomas Kissering (Brady Electrical, Northern Division, Overton
Canada) - btkisser (at) bendover.com
4. Isabelle Haydon Adcock (Toys "R" Us) - ihadcock (at) tru.com
3. Martha Elizibeth Cummins (Fresno University) - cumminme (at) fu.edu
2. George David Blowmer (Drop Front Drawers & Cabinets Inc.) - blowmegd (at) dropdrawers.com

..but at No 1, it had to be...

1. Barbara Joan Beeranger (Myplace Home Decorating) - beeranbj (at) myplace.com

--
Greg
(Inside a nuclear plant)
Aaaarrrggh! Run! The canary has mutated!