Educause Security Discussion mailing list archives
Re: username / PIN restrictions for new accounts
From: Ken Connelly <Ken.Connelly () UNI EDU>
Date: Wed, 9 Mar 2011 18:10:08 -0500
Any chance you can consider using an e-mail address for the "username"? That's obviously going to be longer than 9 characters, but would most certainly help in avoiding unintentional collisions. - ken On 3/9/11 5:46 PM, Kevin Shalla wrote:
We have a web application for admission that has a limit of 9 characters for the username and a 6 digit PIN. There aren't any restrictions on what the PIN can be, except that it's numeric and is 6 digits. While we haven't discovered any instances of applicants intentionally intruding on the data of others, we've had many problems where a person logs into another's account accidentally and starts updating all the data (unaware that that is what is happening). We're working on making the login Web page more obvious (enter a username and PIN if you've been here before, otherwise click this other link to create a new account), but also want to make these collisions less frequent by restricting what can be used for the PINs. We noticed that one PIN is far and away more popular than any other, so we decided to prohibit it from new accounts. We want to make the restrictions loose (and minimize user frustration), but want to prevent someone from blithely entering a username and PIN (figuring that he's creating a new account, but actually trying to log in to an existing account) and stumbling into another's account. If the applicant either chooses a username not in use or doesn't guess the PIN for the username we're okay, but we've had too many instances of collisions. I thought that we should prohibit the PIN from equaling the username, and it turns out that we've got a few thousand of those, but there's probably a better strategy. What do you suggest?
-- - Ken ================================================================= Ken Connelly Associate Director, Security and Systems ITS Network Services University of Northern Iowa email: Ken.Connelly () uni edu p: (319) 273-5850 f: (319) 273-7373
Current thread:
- username / PIN restrictions for new accounts Kevin Shalla (Mar 09)
- Re: username / PIN restrictions for new accounts Ken Connelly (Mar 09)