Re: Minimum userid character length

[Antonio Crespo <acrespo () BARNARD EDU>]

I see this as security through obscurity.  The longer the username, the
harder it may be to find a valid username and attack actual accounts.
However, that requires obscurity everywhere and I'm not sure how much
complexity it adds since a lot of institutions have public directories of
users, and many email providers allow email address harvesting attacks.

For our students, we mirror Columbia's username consisting of initials plus
an arbitrary number.

For Faculty and Staff we use a 7 digit combination of names to make the
accounts easier to remember.


--

Best Regards,

Antonio Crespo
Senior Director, IT Security
Barnard College

*"*Passwords are like toothbrushes: don’t share them, and change them
periodically!"


***This message is intended for the use of the addressee and may contain
information that is privileged and/or confidential. If you are not the
intended recipient, you are hereby notified that any dissemination,
distribution or copying of the information contained in this message is
strictly unauthorized and prohibited. If you have received this message in
error, please notify the sender by reply e-mail and delete the message from
your system.  Opinions, conclusions or other statements in this message are
neither given nor endorsed by Barnard College.  This email is for
informational purposes only and not meant to bind the sender or Barnard
College.***

On Thu, Jan 28, 2016 at 8:14 AM, Carroll, Tim <Carrolltd () roanestate edu>
wrote:

> John,
>
>
>
> Roane State created a standard for assigning user names and is spelled out
> in our procedures documents.  It is last name, first and middle initial and
> then a sequence number where duplicates arise.  Mine for example is
> carrolltd. This is done automatically when an employee is added to our HR
> system… it is the same for students when accepted and enrolled.
>
>
>
> Regards,
>
>
>
> Tim
>
> Tim Carroll
>
> Assistant Vice President and Chief Information Officer
>
> Information Technology
>
> Roane State Community College
>
> carrolltd () roanestate edu
>
> 865-882-4560
>
>
>
> *From:* The EDUCAUSE Security Constituent Group Listserv [mailto:
> SECURITY () LISTSERV EDUCAUSE EDU] *On Behalf Of *John Elliott
> *Sent:* Wednesday, January 27, 2016 8:23 PM
> *To:* SECURITY () LISTSERV EDUCAUSE EDU
> *Subject:* [SECURITY] Minimum userid character length
>
>
>
> Hello Community,
>
>   It looks like the topic of security related to username length has been
> hotly debated in some circles
> <http://security.stackexchange.com/questions/46875/why-is-there-a-minimum-username-length>.
> From my reading the danger is in being likely to receive more spam, thus
> more exposure to phishing etc. Though this is security related I don't
> think it's strictly less secure. That said, I have a negative gut reaction
> to single letter usernames as well and don't have any objection to
> implementing a minimum username length requirement so long as there is
> *some* basis for the character limit. I have the same negative gut reaction
> to arbitrarily choosing a minimum as well. What does your institution
> recommend to their users?
>
> Thanks,
>
>
>
> ~John Elliott
>
>
>
> *[image: Image removed by sender.]*
> * John Elliott*
> Security Team Lead / Systems Administrator - A.I.S.
> *C*alifornia *C*ollege of the *A*rts
> Phone: 415.551.9228
>
> Zoom Personal Meeting URL: https://cca.zoom.us/j/3677415794
>
> technology.cca.edu | Email: jelliott () cca edu
>
> *For technical support, contact the ETS Helpdesk:*
> Phone: 510.594.5010 | Fax: 510.594.3758
> helpdesk.cca.edu | Email: helpdesk () cca edu
>
> ------------------------------
>
> This email is intended for the addressee and may contain privileged
> information. If you are not the addressee, you are not permitted to use or
> copy this email or its attachments nor may you disclose the same to any
> third party. If this has been sent to you in error, please delete the email
> and notify us by replying to this email immediately.