Educause Security Discussion mailing list archives
Re: Minimum userid character length
From: "Shalla, Kevin" <kshalla () UIC EDU>
Date: Thu, 28 Jan 2016 14:54:48 +0000
Our three campuses have different standards for username generation, ranging from automatically assigning based upon a formula (first initial + last name + number if not unique) to allowing a user to use anything that’s currently unused. I’m pushing for a standard that requires that the username to be composed from name, with the person being allowed to choose from a list (containing parts of at least two parts of name (first, middle, last). That would allow people to omit first name if they prefer middle name, or even omit last name for those who think they may change last name (like unmarried women) and wouldn’t want a username that would tie to the previous name. We currently have silly usernames like gambler and titan that are unrelated to the person’s name, and so convey no information to users of the username (everyone except the owner). Given that the owners are not really the main users of their own username (the main users are access administrators, e-mailers, etc.), it wastes staff time if users are allowed to choose non-name-based usernames. Kevin Shalla Academic and Enrollment Services University of Illinois at Chicago From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Antonio Crespo Sent: Thursday, January 28, 2016 8:46 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Minimum userid character length I see this as security through obscurity. The longer the username, the harder it may be to find a valid username and attack actual accounts. However, that requires obscurity everywhere and I'm not sure how much complexity it adds since a lot of institutions have public directories of users, and many email providers allow email address harvesting attacks. For our students, we mirror Columbia's username consisting of initials plus an arbitrary number. For Faculty and Staff we use a 7 digit combination of names to make the accounts easier to remember. -- Best Regards, Antonio Crespo Senior Director, IT Security Barnard College "Passwords are like toothbrushes: don’t share them, and change them periodically!" ***This message is intended for the use of the addressee and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of the information contained in this message is strictly unauthorized and prohibited. If you have received this message in error, please notify the sender by reply e-mail and delete the message from your system. Opinions, conclusions or other statements in this message are neither given nor endorsed by Barnard College. This email is for informational purposes only and not meant to bind the sender or Barnard College.*** On Thu, Jan 28, 2016 at 8:14 AM, Carroll, Tim <Carrolltd () roanestate edu<mailto:Carrolltd () roanestate edu>> wrote: John, Roane State created a standard for assigning user names and is spelled out in our procedures documents. It is last name, first and middle initial and then a sequence number where duplicates arise. Mine for example is carrolltd. This is done automatically when an employee is added to our HR system… it is the same for students when accepted and enrolled. Regards, Tim Tim Carroll Assistant Vice President and Chief Information Officer Information Technology Roane State Community College carrolltd () roanestate edu<mailto:carrolltd () roanestate edu> 865-882-4560<tel:865-882-4560> From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of John Elliott Sent: Wednesday, January 27, 2016 8:23 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Minimum userid character length Hello Community, It looks like the topic of security related to username length has been hotly debated in some circles<http://security.stackexchange.com/questions/46875/why-is-there-a-minimum-username-length>. From my reading the danger is in being likely to receive more spam, thus more exposure to phishing etc. Though this is security related I don't think it's strictly less secure. That said, I have a negative gut reaction to single letter usernames as well and don't have any objection to implementing a minimum username length requirement so long as there is *some* basis for the character limit. I have the same negative gut reaction to arbitrarily choosing a minimum as well. What does your institution recommend to their users? Thanks, ~John Elliott [Image removed by sender.] John Elliott Security Team Lead / Systems Administrator - A.I.S. California College of the Arts Phone: 415.551.9228<tel:415.551.9228> Zoom Personal Meeting URL: https://cca.zoom.us/j/3677415794 technology.cca.edu<http://technology.cca.edu/> | Email: jelliott () cca edu<mailto:jelliott () cca edu> For technical support, contact the ETS Helpdesk: Phone: 510.594.5010<tel:510.594.5010> | Fax: 510.594.3758<tel:510.594.3758> helpdesk.cca.edu<http://helpdesk.cca.edu/> | Email: helpdesk () cca edu<mailto:helpdesk () cca edu> ________________________________ This email is intended for the addressee and may contain privileged information. If you are not the addressee, you are not permitted to use or copy this email or its attachments nor may you disclose the same to any third party. If this has been sent to you in error, please delete the email and notify us by replying to this email immediately.
Current thread:
- Minimum userid character length John Elliott (Jan 27)
- Re: Minimum userid character length Carroll, Tim (Jan 28)
- Re: Minimum userid character length Antonio Crespo (Jan 28)
- Re: Minimum userid character length Shalla, Kevin (Jan 28)
- Re: Minimum userid character length Antonio Crespo (Jan 28)
- Re: Minimum userid character length Carroll, Tim (Jan 28)