Re: Hiding last logon, all MS platforms, why or why not to do
- From: "Alun Jones [MS-MVP - Windows Security]" <alun@xxxxxxxxxxxxx>
- Date: Tue, 24 Oct 2006 13:35:57 -0700
"NewSecTech" <NewSecTech@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:1C6AC134-8CFB-4729-93E9-3F6D450EE432@xxxxxxxxxxxxxxxx
I'd like to know the cons of hiding last user name in the logon dialog.
The
pros are obvious...why give away half the key to the castle? I'll be
darned
if I can think of one GOOD reason to leave it displayed. My company has
rec'd
a policy change recommendation, to blank it out, and they want the P's and
C's of it. Hit me with both arguments if you wish...
The cons of this are more intellectual than technical - and you are
exhibiting the cons already.
You have a tendency to think of the username as "half the key". It is not.
It is a claim of identity. The password is a proof of that claim. The
username is a label on the key, to identify who it belongs to, if you must
use that analogy.
The operating system is designed with the requirement that the password is
secret, and with the assumption that the username is public.
Do not make any changes that make the assumption that your username is
secret, because you will give the impression that usernames are sufficient
as claim _and_ proof of identity - not for the Windows logon, obviously,
because that will require the password - but what about a user-designed
application or web service? Someone educated in a culture that assumes the
username to be secret may be tempted to act as if the username is secret,
and is therefore sufficient as an identifier and an authenticator.
Don't pretend that usernames are secret. They are public. Display them
every so often to remind people of this fact.
Alun.
~~~~
.
- Prev by Date: Re: virus...
- Next by Date: Re: Worm detected !!
- Previous by thread: Re: CCapp error?
- Next by thread: Re: Hiding last logon, all MS platforms, why or why not to do
- Index(es):
Relevant Pages
|
|
