WebApp Sec mailing list archives

Re: User ID generation

From: Scovetta Labs <security () scovettalabs com>
Date: Thu, 14 Apr 2005 00:25:53 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jason,
~   You could probably get by with skipping a random number between 100 and 1000
in between each UserID that gets created. You could also just use a hash of the
number, but I assume that the users will have to know (and use) their UserID. In
that case, I would question why the numbers at all? Wouldn't a chosen username
(or one based on their name) be better? The UserID could still be used on the
back-end, and the chance of a DoS goes away.

The random string would work, but would be (a) hard to remember, and (b) no
better than a hash of a sequential number + salt.

You can determine the keyspace requirements by:
M = maximum number of users
P = chance of guessing a valid UserID (brute force)
K = number of guesses one could expect before being noticed

Then the keyspace would need to be at least M*K/P. You're probably going to have
something like M=10000, P=0.0001, K=1000, so the keyspace size is 100 billion,
or about 37 bits.


- -Mike

Jason binger wrote:
| I have a customer that generates UserIDs as numbers
| sequentially for a critical application. They
| implement account lockout and I am concerned that
| someone could launch a DOS and lockout all the user
| accounts.
|
| What would people recommend for a user ID generation
| method.
|
| I was thinking UserIDs should be randomly generated
| from a large alpha-numeric keyspace, but how big
| should the keyspace be?
| What would the size of the keyspace need to be if it
| was only numeric?
|
| Any other thoughts appreciated.
|
| Cheers,
|
|
|               
| __________________________________
| Do you Yahoo!?
| Yahoo! Small Business - Try our new resources site!
| http://smallbusiness.yahoo.com/resources/
|


- --
Michael Scovetta
Scovetta Labs
www.scovettalabs.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFCXfDDK5Y2cJWwwk0RAgGwAJ9EEYbtH0k6KHnPb5CWyjCbz9K/1QCfY+FT
WBeOPAMeMp/r4e/ccOGkhT4=
=S9oP
-----END PGP SIGNATURE-----

Current thread:

User ID generation Jason binger (Apr 13)
- RE: User ID generation Andrew van der Stock (Apr 13)
  - RE: User ID generation Thomas Ng (Apr 13)
- Re: User ID generation Scovetta Labs (Apr 13)
  - Re: User ID generation Andi McLean (Apr 14)
    - Re: User ID generation Adam K (Apr 18)
    - Re: User ID generation Scovetta Labs (Apr 18)
- Re: User ID generation Paul M. (Apr 18)
- <Possible follow-ups>
- RE: User ID generation Murtland, Jerry (Apr 18)
  - Re: User ID generation Andi McLean (Apr 18)
    - Re: User ID generation Lucas Holt (Apr 20)