WebApp Sec mailing list archives
Re: User ID generation
From: Scovetta Labs <security () scovettalabs com>
Date: Thu, 14 Apr 2005 00:25:53 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jason, ~ You could probably get by with skipping a random number between 100 and 1000 in between each UserID that gets created. You could also just use a hash of the number, but I assume that the users will have to know (and use) their UserID. In that case, I would question why the numbers at all? Wouldn't a chosen username (or one based on their name) be better? The UserID could still be used on the back-end, and the chance of a DoS goes away. The random string would work, but would be (a) hard to remember, and (b) no better than a hash of a sequential number + salt. You can determine the keyspace requirements by: M = maximum number of users P = chance of guessing a valid UserID (brute force) K = number of guesses one could expect before being noticed Then the keyspace would need to be at least M*K/P. You're probably going to have something like M=10000, P=0.0001, K=1000, so the keyspace size is 100 billion, or about 37 bits. - -Mike Jason binger wrote: | I have a customer that generates UserIDs as numbers | sequentially for a critical application. They | implement account lockout and I am concerned that | someone could launch a DOS and lockout all the user | accounts. | | What would people recommend for a user ID generation | method. | | I was thinking UserIDs should be randomly generated | from a large alpha-numeric keyspace, but how big | should the keyspace be? | What would the size of the keyspace need to be if it | was only numeric? | | Any other thoughts appreciated. | | Cheers, | | | | __________________________________ | Do you Yahoo!? | Yahoo! Small Business - Try our new resources site! | http://smallbusiness.yahoo.com/resources/ | - -- Michael Scovetta Scovetta Labs www.scovettalabs.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFCXfDDK5Y2cJWwwk0RAgGwAJ9EEYbtH0k6KHnPb5CWyjCbz9K/1QCfY+FT WBeOPAMeMp/r4e/ccOGkhT4= =S9oP -----END PGP SIGNATURE-----
Current thread:
- User ID generation Jason binger (Apr 13)
- RE: User ID generation Andrew van der Stock (Apr 13)
- RE: User ID generation Thomas Ng (Apr 13)
- Re: User ID generation Scovetta Labs (Apr 13)
- Re: User ID generation Andi McLean (Apr 14)
- Re: User ID generation Adam K (Apr 18)
- Re: User ID generation Scovetta Labs (Apr 18)
- Re: User ID generation Andi McLean (Apr 14)
- Re: User ID generation Paul M. (Apr 18)
- <Possible follow-ups>
- RE: User ID generation Murtland, Jerry (Apr 18)
- Re: User ID generation Andi McLean (Apr 18)
- Re: User ID generation Lucas Holt (Apr 20)
- Re: User ID generation Andi McLean (Apr 18)
- RE: User ID generation Andrew van der Stock (Apr 13)