sequential number user name convention - security concern

I am wondering if there is any article or best practice on how to
select convention for user names. We are in the planning stages of
setting up convention for user names for our company. These user
names will be used for all employees. We have a lot of employees.

We are considering using following convention:
Assume my company General Electric.


GE000000001
GE000000002


So all the usernames will be sequentials.


I have security concern with this approach. One can easily write
code
to sequence through user names and attempt brute force attack. Is
this volunerability about the same as if we select user name that
follow standard user name convention such as jsmith or gwbush or
using
sequential numbers as username is more volunerable?


Thanks,

humbleFunGuy <imohammed786@hotmail.com> wrote:

> I am wondering if there is any article or best practice on how to
> select convention for user names. We are in the planning stages of
> setting up convention for user names for our company. These user
> names will be used for all employees. We have a lot of employees.
>
> We are considering using following convention: Assume my company
> General Electric.
>
> GE000000001
> GE000000002
>
> So all the usernames will be sequentials.
>
> I have security concern with this approach. One can easily write code
> to sequence through user names and attempt brute force attack. Is
> this volunerability about the same as if we select user name that
> follow standard user name convention such as jsmith or gwbush or using
> sequential numbers as username is more volunerable?

In a well designed security system, this "vulnerability" is a phantasm.
If your security is bound to keeping user names secret, you're already
doomed. If it is possible, you should follow some naming convention,
which makes sense, or let the users choose their usernames themselves.
Security should come from a separate, secret, randomly-generated
password or other correct means of authentication, e.g. smartcards.


Greets,
Ertugrul.


--
nightmare = unsafePerformIO (getWrongWife >>= sex)

humbleFunGuy <imohammed786@hotmail.com> writes:

>I am wondering if there is any article or best practice on how to
>select convention for user names. We are in the planning stages of
>setting up convention for user names for our company. These user
>names will be used for all employees. We have a lot of employees.

>We are considering using following convention:
>Assume my company General Electric.


>GE000000001
>GE000000002


>So all the usernames will be sequentials.

Yaaagraeedgsenyme. Why? To make sure that your users have as a hard a time
as possible remembering their usernames? Why not throw in $^*(^*&)(*)#$# as
well into the usernames. It makes them even harder to remember-- and random
upper case.


>I have security concern with this approach. One can easily write
>code
>to sequence through user names and attempt brute force attack. Is

A user name is "public". You must expect that anyone's username is known to
any adversary. There is no security in usernames. the security comes from
the passwords. That is where you should be spending your time.


>this volunerability about the same as if we select user name that
>follow standard user name convention such as jsmith or gwbush or
>using
>sequential numbers as username is more volunerable?


>Thanks,

In article <20080723154804.677c9416@ertes.de>, Ertugrul =?UTF-8?B?U8O2eWxlbWV6?= <es@ertes.de> writes:
>humbleFunGuy <imohammed786@hotmail.com> wrote:
>
>> I am wondering if there is any article or best practice on how to
>> select convention for user names. We are in the planning stages of
>> setting up convention for user names for our company. These user
>> names will be used for all employees. We have a lot of employees.
>>
>> We are considering using following convention: Assume my company
>> General Electric.
>>
>> GE000000001
>> GE000000002
>>
>> So all the usernames will be sequentials.
>>
>> I have security concern with this approach. One can easily write code
>> to sequence through user names and attempt brute force attack. Is
>> this volunerability about the same as if we select user name that
>> follow standard user name convention such as jsmith or gwbush or using
>> sequential numbers as username is more volunerable?
>
>In a well designed security system, this "vulnerability" is a phantasm.
>If your security is bound to keeping user names secret, you're already
>doomed. If it is possible, you should follow some naming convention,
>which makes sense, or let the users choose their usernames themselves.
>Security should come from a separate, secret, randomly-generated
>password or other correct means of authentication, e.g. smartcards.
>
The main criteria for usernames should be usability.
If you are going to be using the same username on different systems then
you need to be aware of any limitations those systems have. For instance
traditionally Unix system usernames have been restricted to a length of
eight characters.

Usernames such as

GE000000001

GE000000002

may also suffer from users who are dealing with lots of queries about accounts
transposing digits eg someone on the helpdesk mixing up the username

GE016549832

with

GE016459832


David Webb
Security team leader
CCSS
Middlesex University

>
>Greets,
>Ertugrul.
>
>
>--
>nightmare = unsafePerformIO (getWrongWife >>= sex)
>

Unruh wrote:
> A user name is "public". You must expect that anyone's username is
> known to any adversary.

One username known != all usernames known. There are many ways to
prevent brute force username attacks, like use 3 initials + random 5
digit number. It is not really hard to remember 5 digits (you know your
initials), I've been able to memorize it after 3 hours in my new job.

> There is no security in usernames. the security comes from the
> passwords. That is where you should be spending your time.
Two factor authentication is always stronger than one factor.
If you make your usernames so simple that basic algorithm could follow
them - you get virtually one factor authentication. If for any reason
password gets published, it is easy, let's say 1000 usernames, brute
force attack, quick job.


>> this volunerability about the same as if we select user name that
>> follow standard user name convention such as jsmith or gwbush or
>> using sequential numbers as username is more volunerable?

I believe the later is true. Take a social networking website as an
example. Assuming you know vulnerability that allows you to access every
single user profile, no matter you're connected or not, if you know user
id in database.

Sequential user ids - you get copy of all profiles, including PII,
*very* quickly.

Unknown pattern - much longer, and you can always send unknown user
request to a very slow redirect. For sequential case, unknown might be
only first and last id.

Sequential id case - real world example, it happened with some
classmates.com clone.


Wieslaw

"humbleFunGuy" <imohammed786@hotmail.com> wrote in message
news:393bd12d-4aba-475d-b265-5256b7643f5b@d45g2000hsc.googlegroups.com...
> I am wondering if there is any article or best practice on how to
> select convention for user names. We are in the planning stages of
> setting up convention for user names for our company. These user
> names will be used for all employees. We have a lot of employees.
>
> We are considering using following convention:
> Assume my company General Electric.
>
> GE000000001
> GE000000002
>
>
> So all the usernames will be sequentials.

Will you be assigning the password sequentially too? ;-)

"Unruh" <unruh-spam@physics.ubc.ca> wrote in message
news:B0Jhk.1252$nu6.140@edtnps83...
> humbleFunGuy <imohammed786@hotmail.com> writes:

>>We are in the planning stages of
>>setting up convention for user names for our company.

>>We are considering using following convention:
>>Assume my company General Electric.

>>GE000000001
>>GE000000002

>>So all the usernames will be sequentials.

>>I have security concern with this approach. One can easily write
>>code
>>to sequence through user names and attempt brute force attack.

> A user name is "public". You must expect that anyone's username is known
> to
> any adversary. There is no security in usernames. the security comes
> from
> the passwords. That is where you should be spending your time.

In a context such as this one, a little security by obscurity might be
useful. I am thinking, for example, of junk mail attacks. A dictionary or
brute-force approach is likely to be slower, and less successful, than
just sending mail to GE000000001@example.com, GE000000002@example.com,
GE000000003@example.com and so on once the pattern becomes known.

Of course, you may be able to avoid the username@domain pattern resulting
in valid email addresses. This was just an example; Wieslaw presented
others.

Strong passwords are essential, but the one does not preclude the other.

--
Thor Kottelin
http://www.anta.net/

Antivirus, firewall, parental control: http://www.anta.net/sw/norman/