WebApp Sec mailing list archives
RE: User ID generation
From: "Andrew van der Stock" <vanderaj () greebo net>
Date: Thu, 14 Apr 2005 09:10:30 +1000
Let the users select their usernames. Don't force them to use your scheme. That will introduce a great deal of randomness and make it next to impossible to brute force via an algorithm other than starting from "AAAAA" and working through. Don't let help desk staff trust the usernames, for surely the users will select "admin" or "root" given half a chance. This is documented in the latest version of the OWASP Guide 2.0a7, which you can get from here: http://www.greebo.net/owasp/ Look in the authentication section. As authentication often goes to SQL, LDAP or might be transmitted via XML web services, do not allow HTML, SQL, LDAP or XML special characters in the usernames: * & | < > @ % ( ) = . With the possible exception of ' which should be escaped correctly. The best bet is not to restrict by blacklisting, but validate by whitelisting. Ie, accept only: [A-z,0-9,_, ] The regex should be tested, not replacing with "safe" blanks - if they get it wrong, they try, try again until they get it right before their input touches your interpreters. Canocalize the input to ensure that there is no UTF or URL double (or n-deep) encodes. I also like to restrict usernames to 20 characters, enforced server side. It's possible to do SQL or LDAP injection in 20 characters, but what is possible is dramatically limited compared to longer strings. thanks, Andrew
-----Original Message----- From: Jason binger [mailto:cisspstudy () yahoo com] Sent: Tuesday, 12 April 2005 6:26 PM To: webappsec () securityfocus com Subject: User ID generation I have a customer that generates UserIDs as numbers sequentially for a critical application. They implement account lockout and I am concerned that someone could launch a DOS and lockout all the user accounts. What would people recommend for a user ID generation method. I was thinking UserIDs should be randomly generated from a large alpha-numeric keyspace, but how big should the keyspace be? What would the size of the keyspace need to be if it was only numeric? Any other thoughts appreciated. Cheers, __________________________________ Do you Yahoo!? Yahoo! Small Business - Try our new resources site! http://smallbusiness.yahoo.com/resources/
Current thread:
- User ID generation Jason binger (Apr 13)
- RE: User ID generation Andrew van der Stock (Apr 13)
- RE: User ID generation Thomas Ng (Apr 13)
- Re: User ID generation Scovetta Labs (Apr 13)
- Re: User ID generation Andi McLean (Apr 14)
- Re: User ID generation Adam K (Apr 18)
- Re: User ID generation Scovetta Labs (Apr 18)
- Re: User ID generation Andi McLean (Apr 14)
- Re: User ID generation Paul M. (Apr 18)
- <Possible follow-ups>
- RE: User ID generation Murtland, Jerry (Apr 18)
- Re: User ID generation Andi McLean (Apr 18)
- Re: User ID generation Lucas Holt (Apr 20)
- Re: User ID generation Andi McLean (Apr 18)
- RE: User ID generation Andrew van der Stock (Apr 13)