User Naming Practices? 109
Kymermosst asks: "Recently, this post was made to comp.sys.sun.misc, and sparked a large debate on the subject of usernames. What standardized user-naming schemes are used out in the 'real world,' if any? Has any company's scheme become a security risk due to its predictability? Were any benefits gained by using any particular system?"
recent change here (Score:2, Insightful)
As for a security issue, I would say the <first name>.<last name> scheme would make it easier to get back at a certain individual, but not so practical for automated actions. For instance, if your least-favorite person in the world is at john.doe@company.com, it would be easy to direct every piece of SPAM into the world to his email box with only the basic knowledge that he works at company.com.
Passwords (Score:5, Insightful)
Problem with names... (Score:3, Insightful)
There are quite a few people like me. I always find it a problem when someone wants to use my first name as part of my log-in/email address.
In a business setting, it means explaining why the name in the email address does not match the name of the person they just met. For all contacts, it means that the person trying to email me needs to remember my *real* name.
If a system is put in place such as last_name.first_initial or first_name.last_name, do not simply go by the name listed according to the HR department.
One way that worked (Score:2, Insightful)
This carries with it the problems of remembering your username, but with everyone wanting to keep their username matching their current last name, we were changing about 20 usernames a week on about 30 systems.
Re:I have the answer. (Score:4, Insightful)
There are a lot of places which use the last four digits of the SSN for identity verification. I'm not sure I'd like to have it be part of something as public as my email address.
Any system has to be flexible (Score:4, Insightful)
Especially in a corporate environment, people expect to have reasonable looking user names. Most folks won't put up with being sfc123; it just is not professional.
This means that while it's a good idea to have guidelines, you can't be too much of a stickler. If a sales guy was jschmoe at his last three jobs, and all his contacts know his email as jschmoe, then it's really best if he can continue to be jschmoe. Forcing him to be joes341 instead doesn't make anyone happy.
Collisions are certainly an issue, but that's not the only problem. For example, a popular default choice might be first initial last name. Using that standard at one job we ended up with a "pharter" (say it out loud), and at another job there would have been an "aryan". These things just don't work.
Ideally I like to allow users their choice of login. I encourage them to select one of first initial last name, first name last initial, or initials. Every now and then someone will come along and want a login like "coolguy" or something completely random. Depending on the company culture and whether the user is "customer facing" I might be lenient.
I've worked in organizations up to a few thousand users and this system has worked fine. In a truly huge organization you'd end up having user names that look like AOL, though. Certainly in an educational environment I imagine a more authoritarian system would be warranted.
Re:recent change here (Score:3, Insightful)
aaron.aaronson@foo.bar,
abel.aaronson@foo.bar,
abraham.aaronson@foo.bar,
adam.aaronson@foo.bar
...
The same goes for a first-initial/last-name scheme (aaaronson, baaronson, caaronson, etc.), and any other similar scheme.
Re:Our system (Score:3, Insightful)
Well... I for one need to read rfc793 (and any related rfcs), but its is far better ot include only certain characters than to exclude illegal characters for the simple reason that in the event of not including a necessary character, it is easy to fix, when users start bitching. But if you forget to exclude an illegal character, the usual way of finding that out is when your server gets hax0red.