WebApp Sec mailing list archives
Re: User ID generation
From: Lucas Holt <luke () foolishgames com>
Date: Mon, 18 Apr 2005 18:44:03 -0400
On Apr 14, 2005, at 1:35 PM, Andi McLean wrote:
Sorry forgot to mention, the users in my case will be Members logging into a website. Other Member will not be able to see eacth other. If I set up aForum something diffrent will be used.
You might consider using something like the date and time someone signs up meshed together in some way along with a few randomly chosen letters A-Z a-z. Its still predictable but the longer your site is in operation the harder it would be to crack a specific account unless you knew when the person signed up. A random account, well thats a different story.
It might be better just to write a randomizer function for usernames and passwords where usernames can contain A-Z a-z 0-9 and passwords can contain those plus additional special characters like $ # @ ! & *. Then use a minimum length for both of at least 5 characters. For passwords i like at least 8 characters. It prevents many dictionary attacks and people who make word lists with letters, numbers and special characters from hitting your site. If nothing else, bandwidth limitations will slow them down.
Lucas Holt Luke () FoolishGames com ________________________________________________________ FoolishGames.com (Jewel Fan Site) JustJournal.com (Free blogging) FoolishGames.net (Enemy Territory IoM site)
Current thread:
- User ID generation Jason binger (Apr 13)
- RE: User ID generation Andrew van der Stock (Apr 13)
- RE: User ID generation Thomas Ng (Apr 13)
- Re: User ID generation Scovetta Labs (Apr 13)
- Re: User ID generation Andi McLean (Apr 14)
- Re: User ID generation Adam K (Apr 18)
- Re: User ID generation Scovetta Labs (Apr 18)
- Re: User ID generation Andi McLean (Apr 14)
- Re: User ID generation Paul M. (Apr 18)
- <Possible follow-ups>
- RE: User ID generation Murtland, Jerry (Apr 18)
- Re: User ID generation Andi McLean (Apr 18)
- Re: User ID generation Lucas Holt (Apr 20)
- Re: User ID generation Andi McLean (Apr 18)
- RE: User ID generation Andrew van der Stock (Apr 13)