Re: username / PIN restrictions for new accounts

[Ken Connelly <Ken.Connelly () UNI EDU>]

Any chance you can consider using an e-mail address for the "username"? 
That's obviously going to be longer than 9 characters, but would most
certainly help in avoiding unintentional collisions.

- ken

On 3/9/11 5:46 PM, Kevin Shalla wrote:
> We have a web application for admission that has a limit of 9
> characters for the username and a 6 digit PIN.  There aren't any
> restrictions on what the PIN can be, except that it's numeric and is 6
> digits.  While we haven't discovered any instances of applicants
> intentionally intruding on the data of others, we've had many problems
> where a person logs into another's account accidentally and starts
> updating all the data (unaware that that is what is happening).
>
> We're working on making the login Web page more obvious (enter a
> username and PIN if you've been here before, otherwise click this
> other link to create a new account), but also want to make these
> collisions less frequent by restricting what can be used for the
> PINs.  We noticed that one PIN is far and away more popular than any
> other, so we decided to prohibit it from new accounts.  We want to
> make the restrictions loose (and minimize user frustration), but want
> to prevent someone from blithely entering a username and PIN (figuring
> that he's creating a new account, but actually trying to log in to an
> existing account) and stumbling into another's account.
>
> If the applicant either chooses a username not in use or doesn't guess
> the PIN for the username we're okay, but we've had too many instances
> of collisions.  I thought that we should prohibit the PIN from
> equaling the username, and it turns out that we've got a few thousand
> of those, but there's probably a better strategy.
>
> What do you suggest?

-- 
- Ken
=================================================================
Ken Connelly             Associate Director, Security and Systems
ITS Network Services                  University of Northern Iowa
email: Ken.Connelly () uni edu   p: (319) 273-5850 f: (319) 273-7373