WebApp Sec mailing list archives
RE: User ID generation
From: "Murtland, Jerry" <MurtlandJ () Grangeinsurance com>
Date: Thu, 14 Apr 2005 13:29:09 -0400
Whilst talking about usernames, I was wondering what people's thoughts were on the following scheme. The users date of birth, Selected from drop down boxes, and entering a 4 digit random number, selected by the system, so username are unique. _________________________________________________ Andi, I would think that if your goal is to make your user names practically undetectable, then you would succeed. However, IMHO there are a couple of reasons why this may not be the best approach (at least not for my environment). 1) It takes away it's very purpose. User names are used as a quick reference while auditing logs to identify unusual access or identifying who was logged in at certain times. If you review your logs on a regular basis, whether by a SIM or by manual review, unless you know everyone's birth dates by heart, this standard would become useless. You would no longer be able to identify anomalies within the logs. I'm sure you could look each up if you were doing incident response to find out who is who, but that could be very time consuming and costly (unless you only have 3 people in the company). 2) Not all user ID's are directly related to a single person. This is obviously reflective of your development practice. But there could be times when either a standard ID is used to run maintenance, or scripts by a scheduler. You may not necessarily want something as generic as a backup process that could be run on a nightly process to be run with a specific user's login. This would be 1 way to identify if someone actually logs in vs. a scheduler process was running. It has it's inherit issues as well, but again it depends on your standards that you follow. These are just a couple of reasons, but enough for me to say it wouldn't be a good idea in my environment. --Jerry
Current thread:
- User ID generation Jason binger (Apr 13)
- RE: User ID generation Andrew van der Stock (Apr 13)
- RE: User ID generation Thomas Ng (Apr 13)
- Re: User ID generation Scovetta Labs (Apr 13)
- Re: User ID generation Andi McLean (Apr 14)
- Re: User ID generation Adam K (Apr 18)
- Re: User ID generation Scovetta Labs (Apr 18)
- Re: User ID generation Andi McLean (Apr 14)
- Re: User ID generation Paul M. (Apr 18)
- <Possible follow-ups>
- RE: User ID generation Murtland, Jerry (Apr 18)
- Re: User ID generation Andi McLean (Apr 18)
- Re: User ID generation Lucas Holt (Apr 20)
- Re: User ID generation Andi McLean (Apr 18)
- RE: User ID generation Andrew van der Stock (Apr 13)