"Unruh" <unruh-spam@physics.ubc.ca> wrote in message
news:B0Jhk.1252$nu6.140@edtnps83...
> humbleFunGuy <imohammed786@hotmail.com> writes:

>>We are in the planning stages of
>>setting up convention for user names for our company.

>>We are considering using following convention:
>>Assume my company General Electric.

>>GE000000001
>>GE000000002

>>So all the usernames will be sequentials.

>>I have security concern with this approach. One can easily write
>>code
>>to sequence through user names and attempt brute force attack.

> A user name is "public". You must expect that anyone's username is known
> to
> any adversary. There is no security in usernames. the security comes
> from
> the passwords. That is where you should be spending your time.

In a context such as this one, a little security by obscurity might be
useful. I am thinking, for example, of junk mail attacks. A dictionary or
brute-force approach is likely to be slower, and less successful, than
just sending mail to GE000000001@example.com, GE000000002@example.com,
GE000000003@example.com and so on once the pattern becomes known.

Of course, you may be able to avoid the username@domain pattern resulting
in valid email addresses. This was just an example; Wieslaw presented
others.

Strong passwords are essential, but the one does not preclude the other.

--
Thor Kottelin
http://www.anta.net/

Antivirus, firewall, parental control: http://www.anta.net/sw/norman/