Re: sequential number user name convention - security concern



humbleFunGuy <imohammed786@xxxxxxxxxxx> wrote:

I am wondering if there is any article or best practice on how to
select convention for user names. We are in the planning stages of
setting up convention for user names for our company. These user
names will be used for all employees. We have a lot of employees.

We are considering using following convention: Assume my company
General Electric.

GE000000001
GE000000002

So all the usernames will be sequentials.

I have security concern with this approach. One can easily write code
to sequence through user names and attempt brute force attack. Is
this volunerability about the same as if we select user name that
follow standard user name convention such as jsmith or gwbush or using
sequential numbers as username is more volunerable?

In a well designed security system, this "vulnerability" is a phantasm.
If your security is bound to keeping user names secret, you're already
doomed. If it is possible, you should follow some naming convention,
which makes sense, or let the users choose their usernames themselves.
Security should come from a separate, secret, randomly-generated
password or other correct means of authentication, e.g. smartcards.


Greets,
Ertugrul.


--
nightmare = unsafePerformIO (getWrongWife >>= sex)

.



Relevant Pages

  • Re: BJC 2007 HLCB thread
    ... Gold Martin hurting his back on Wednesday night ... Getting to Wednesday after the convention and still having job'ettes to do ... dealt with by our crew or the sports centre staff or the extra hired ... security - not the main security company. ...
    (rec.juggling)
  • Re: sequential number user name convention - security concern
    ... setting up convention for user names for our company. ... So all the usernames will be sequentials. ... In a well designed security system, ...
    (comp.security.misc)
  • Hack.lu 2008 CfP
    ... The purpose of the hack.lu convention is to give an open and free playground where people can discuss the implication of new technologies in society. ... Software Engineering and Security ... Full paper submission: no later than 1st August 2008 ... and its related electronic/paper publication. ...
    (Bugtraq)
  • [Full-disclosure] CfP hack.lu 2008
    ... The purpose of the hack.lu convention is to give an open and free ... Software Engineering and Security ... Full paper submission: no later than 1st August 2008 ... and its related electronic/paper publication. ...
    (Full-Disclosure)
  • CfP hack.lu 2008
    ... The purpose of the hack.lu convention is to give an open and free playground where people can discuss the implication of new technologies in society. ... Software Engineering and Security ... Full paper submission: no later than 1st August 2008 ... and its related electronic/paper publication. ...
    (Security-Basics)