Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Unix Operating Systems Software

User Naming Practices? 109

Posted by Cliff
from the mangling-yer-moniker dept.
Kymermosst asks: "Recently, this post was made to comp.sys.sun.misc, and sparked a large debate on the subject of usernames. What standardized user-naming schemes are used out in the 'real world,' if any? Has any company's scheme become a security risk due to its predictability? Were any benefits gained by using any particular system?"
This discussion has been archived. No new comments can be posted.

User Naming Practices?

Comments Filter:
  • recent change here (Score:2, Insightful)

    by LuxFX (220822)
    We've recently changed from a <first initial><first six letters of last name> scheme to the <first name>.<last name> scheme, and it's generally been a pain because of 1) the extra typing, and 2) we now must know exactly how to spell those long and difficult last names, instead of just needing to memorize the beginning six letters.

    As for a security issue, I would say the <first name>.<last name> scheme would make it easier to get back at a certain individual, but not so practical for automated actions. For instance, if your least-favorite person in the world is at john.doe@company.com, it would be easy to direct every piece of SPAM into the world to his email box with only the basic knowledge that he works at company.com.
    • by J'raxis (248192)
      Actually, the first-name/last-name scheme makes dictionary-attack spamming extremely simple. Spammers dont care if they hit 1,000,000 bad addresses, all they care about is getting a few through...

      aaron.aaronson@foo.bar,
      abel.aaronson@foo.bar,
      abraham.aaronson@foo.bar,
      adam.aaronson@foo.bar,
      ...

      The same goes for a first-initial/last-name scheme (aaaronson, baaronson, caaronson, etc.), and any other similar scheme.

  • by bconway (63464) on Monday May 13, 2002 @01:42PM (#3511359) Homepage
    No way. However, the IT group was kinda surprised that Steve Lutz insisted on keeping with the first letter + last name naming scheme. I shit you not.
    • My first name is Chris, My last initial is T. In the entire several hundred person staff full of people with first name last initial, I was the only one with a different username, as the ultra religious sysadmin manager refused to create me the login "christ".
      • by jo42 (227475)
        Once we had a guy named Bob O. I didn't set him up as "bobo@"...
        • Don't forget Mary Elizabeth Cummins, who went to Georgetown. Georgetown uses (used?) First six of last name + first initial + middle initial.
          • We once had a user named Yoyo (she was Taiwanese and I work for an Asian company). Her name in itself is kind of weird, but her last name was Yang. So, her email was 'yoyoy@...

            Not that it's really funny, but I thought it was pretty unique. Still, I guess it can be tricky if you try spelling it out for someone over the phone.
            • We used initials, if the users first initial-lastname was taken. One user was thus awarded with STD@somplace.com.
              For the uninformed, STD is the TLA for Sexually Transmited Disease.
  • Options (Score:2, Interesting)

    by sydb (176695)
    Employee number. Benefits: Unique, ties into company systems. Drawbacks: Difficult to remember (especially if your not the relevant employee).

    Some combo of the employees name: e.g. initialsurname: mpacey (me). Benefits: Easy to remember, even if your not the employee. Drawbacks: duplicates - jsmith (though you can always have jsmith001-999.

    I know of no other systems that I'd consider useful for large numbers of users.
  • A community Freenet i am a member of uses sequential userid's in the aa001-zz999. it becomes really easy to spam members as all you have to do is vrite a looping incramental script and you can hit 60,000+ id's

    at work im the first 6 chars of my last name 1st initial. it works, except for the boogerj@.. :)
    • at work im the first 6 chars of my last name 1st initial. it works, except for the boogerj@..

      And I thought mine was bad. dudey@... (D. Udey) is either read as 'dude y' or 'doodey', neither of which is particularly fun. fortunately, 'danudey' is a short enough username for any system I've ever used.

      You could always go for entirely nonsensical names. My UNB ID is 'd93w4'. the 'd' has nothing to do with my name (a friend of mine whose initials are ajb has 'o284e'), the 93 has nothing to do with the date I enrolled (2002), and I can't even think about what the w4 might mean but doesn't. As near as I can tell, it's pretty much either random or incremental somehow. Go figure.

      --Dan
  • Set up an e-mail account for every domain owner. Use a password based solely on the domain name. Mass e-mail everyone to let them know, and make sure it's "opt-out" rather than "opt-in". Sit back and watch the wackiness.

  • by reaper20 (23396) on Monday May 13, 2002 @01:45PM (#3511379) Homepage
    We use a combination of first.last, first 6 from last name then first initial, and, first.MI.last.

    They all suck, I like Jedi names, first three of last name, and then the first two of the first name. Works remarkably well.

  • Our system (Score:2, Interesting)

    by Anonymous Coward
    Until recently my company had firstname_lastname, which was pretty annoying in many instances (such as email forms that did not allow _, or the fact that our Blackberries only have _ in the special characters section). Recently we switched over to firstname.lastname. Ready for the scary part? In the event of a clash, they go to firstname-middleinitial.lastname. So your email really could be john-p.smith@blahblah. Ewwww. Why they couldn't use .middleinitial. is beyond me.

    Eons ago (1997 ish) I helped my company get internet email. We went with first letter+lastname. Except for this lady "Sridevi Sureshbabu", we thought it would be a little awkward for her to type ssureshb (Lotus having an 8char limit) so we just made her name sridevi. Sure enough, she complained that her name was different from everybody else's. Most geeks I know these days used to consider having just firstname@company.com be a badge of honor!

    • Re:Our system (Score:5, Interesting)

      by Permission Denied (551645) on Monday May 13, 2002 @03:34PM (#3512178) Journal
      firstname_lastname, which was pretty annoying in many instances (such as email forms that did not allow _, ...)

      This is highly annoying.

      We have a very cool sendmail setup - it interfaces with our directory database, so, while my username is "flastnam" (first initial, first seven of last name), I get mail to f-lastname@, first-lastname@, first.lastname@, lastname@, etc. Ambguities are solved by bouncing the email, with a friendly message explaining exactly how our system works.

      We have another neat feature with our sendmail setup - you can append a plus sign and any arbitrary string to the username part of your email address. So, Sybase thinks I'm lastname+sybase@domain.com, Amazon thinks I'm lastname+amazon@domain.com, etc. I now get zero spam and even I've caught one company selling my email address (and that email address was promptly procmailed away, for good).

      The annoying part? Stupid, idiotic web programmers who've never heard of rfc822. They don't think the plus sign is a valid character for an email address. In actuality, an email address can contain almost anything except '@', a '%' or a '!'. Yes, email addresses can even contain spaces if you quote them: "FirstName LastName"@domain.com is a perfectly valid email address. For some reason, these web programmers write their regular expressions to only include certain characters, rather than to exclude the illegal characters. To these web programmers, I say: read rfc793, especially section 2.10. Your "security" principals are unsound: you shouldn't be passing any user input to anything that might interpret it as a shell command (can happen in perl if you're not careful), and SQL statement (happens in a lot of php code that I see that doesn't use addcslashes() or friends), or be putting your user input anywhere near an unchecked buffer (poorly-written C programs).

      But enough of the rant. The non-rant portion of this message is that you might want to investigate separating your email address namespace and your username namespace. We do this, and it's quite nice.

      • Re:Our system (Score:3, Insightful)

        by toast0 (63707)
        Quoth the poster:
        don't think the plus sign is a valid character for an email address. In actuality, an email address can contain almost anything except '@', a '%' or a '!'. Yes, email addresses can even contain spaces if you quote them: "FirstName LastName"@domain.com is a perfectly valid email address. For some reason, these web programmers write their regular expressions to only include certain characters, rather than to exclude the illegal characters. To these web programmers, I say: read rfc793, especially section 2.10.


        Well... I for one need to read rfc793 (and any related rfcs), but its is far better ot include only certain characters than to exclude illegal characters for the simple reason that in the event of not including a necessary character, it is easy to fix, when users start bitching. But if you forget to exclude an illegal character, the usual way of finding that out is when your server gets hax0red.

      • Re:Our system (Score:3, Informative)

        by dubl-u (51156)
        In actuality, an email address can contain almost anything except '@', a '%' or a '!'. Yes, email addresses can even contain spaces if you quote them: "FirstName LastName"@domain.com is a perfectly valid email address.

        I agree with the sentiment, but I don't think that's exactly correct. Those special characters are also allowed under RFC 822 [faqs.org], just as long as they are quoted.

        As a practical matter, both sendmail and qmail seem to allow those characters quite happily. I just sent email from qmail and sendmail boxes to a qmail box with addresses like "foo@@example.com", "bar!@example.com", and "foobar!%@@example.com", and all of them got to the destination machine and were delivered happily.
  • I am the co-director of my schools tech dept.
    We have around 500 students tops. We use lastname_first-name. Mine being an exception, strunk_l , because I added it to the user list cause I am so lazy and log into to many machines in one day.
    Also, we didn't standardize early, and many teachers where using last_first-initial to begin with, and since many teachers are very computer illiterate, we decided not to change it. All the students use the last_first though.

    It has some problems, such as having two Mrs. Yeagers. So we have Yeager_C1 & Yeager_C2

    What I would like to do when update the servers this summer is a better naming convention. I would like Department_Last_First-initial.
    Example being Art_Henry_J Although that is what first comes to mind, I may think of a better one soon.
    • About seven years ago I started classes at North East Missouri State, now Truman University, and we were tagged with random email/usernames like "T867" and "S996" - I worked at a college later that gave faculty and staff firstname+last initial email addresses like "joeb" and so forth - but the students got first initial, student ID, last initial or something like that. I believe the admin had whipped up a script to create usernames and such from a list of students, and they'd do a batch the first week of classes.

      You could easily look up email addresses by name using a Web directory, but you couldn't just guess what another student's email address would be.

    • what do you do when someone changes departments? what happens when you hire someone who is 50% time in one department and 50% in another? etc. etc.

      on a more humorous level, what about when you hire john english to to teach math and/or english? =)
      oh better yet, arthur english the math teacher, but of course he goes by art ;)
  • Passwords (Score:5, Insightful)

    by zpengo (99887) on Monday May 13, 2002 @01:52PM (#3511431) Homepage
    The real danger is a standardized usernaming scheme + a standardized default password scheme (e.g., "password", or same as username). The "It won't happen to me" mindset takes over, and a majority of users never change their passwords. It's easy enough to get into anyone's account on systems like that.
    • My school did this. (Score:2, Interesting)

      by smcv (529383)
      They refused to give out usernames and passwords until we'd handed in a signed "I will not abuse these computers" form (signed by student if 18+ and able to sign legally binding documents, parent otherwise). Unfortunately, the usernames were (first initial)(last name) (e.g. jsmith) and the passwords were generated in a deterministic way from (IIRC) username + year of entry.

      One of my friends only got round to handing the form in 6 months later, when the IT department noticed he'd never done so despite the fact that he'd logged in with his "secret" password and changed it rather quickly, then checked his mail daily :-)

      Another dumb IT department, at my previous school, handed out numeric (4-digit) passwords, which we couldn't change (we were locked out of the relevant Control Panel applet - this was on Win95 + MS Notworking). Someone happened to notice that they seemed to go up in alphabetical order, and put 2 and 2 together - it turned out they were our pupil numbers, as printed next to our names on the register. Since in my class the pupils did the register more often than the teacher (he taught Art, what can I say), that wasn't a great plan.
  • by jeffy124 (453342) on Monday May 13, 2002 @01:56PM (#3511465) Homepage Journal
    -my school uses initials + two digits (William J Clinton -> wjc33)
    -the CS dept systems use [u|g] (meaning undergrad or grad) + first initial, lastname, max N chars (uwclinto, uwclint2)
    -there's the popular first initial, last name, digits as appropiate, up to N chars (wclinton, wclinto2)
    -i've also seen first initial, middle initial, last name (all up to 6 chars), then a 2 digit number as appropriate (wjclin, wjclin2, wjclin11)

    I've never seen first.m.last as login names in actual practice. I have seen them used as aliases for email addressing, but not the actual loginname.

    as for which is the best scheme, it really depends on the size of the organization, IMO, and the size limit on the username field. If anything, that size limit will be what makes it tough.

    As for usernames causing a potential security risk, one thing you can do is disable direct root login (ie, require su, even at the console), then log who's using su.

    Under NT, disable "Administrator" login, and give an alternate loginname administrator rights. (note: I'm not sure if this can actually be done)

    Lastly, always change default passwds and, if appropriate, disable guest logins.
    • FWIW - you can do what you suggest in NT, but it's easier just to rename the Administrator account to something innocuous.
    • by devphil (51341)
      Under NT, disable "Administrator" login, and give an alternate loginname administrator rights. (note: I'm not sure if this can actually be done)

      Actually, you could just rename the account. The "home directory" still points to the same directory paths, but those are stored in the registry and can be tweaked if you really feel the need.

    • Under NT, disable "Administrator" login, and give an alternate loginname administrator rights. (note: I'm not sure if this can actually be done)

      That's a bad idea! What is to prevent someone from repeatedly trying to login as your administrator account until said account is locked??? And then what do you do if your policy is to leave accounts locked indefinitely? Even a few hours before the locked status is reset could be a huge problem. The answer is that you can login to the local administrator account from the console even if the account is locked.

      UNIX isn't the only OS to assign certain privledges to accounts with special ID's. As others suggested, rename the account if you are that worried about it and then create a new account (disabled, in the guest group, with random garbage for the password).

    • Ah, sounds like Drexel to me.

      Don't forget the old way of forming usernames, before the wjc33 format.

      Mine was (and still is, since somehow I'm still an active student) st966f7k.

      ST - Undergrad. SG for grad student.
      96 - year I started Drexel.
      6f7k - apparently the result of a hash function of your SSN. I've not looked, but possibly md5 or somesuch.

      Of course, the next year, they started the cccnn format.

      -j (ujdisher@mcs, st966f7k@post, mug@drexel.edu)
      • funny you mention that, Drexel IS where I go to school. yeah, the st95xxxx was a big whack job. Cant imagine trying to remember friend's addresses using that (actually, I do know some people with those usernames, thank god for aliases!).

        Let's see, you started in 1996, probably a 5-year CS student. You probably graduated last June (a guess). I think they keep accounts active for one year after graduating, which would be why your account is still working.
        • Yeah, I started in 96, as a CS student. Unfortunately, I never graduated. In March of 1999, I was in a near-fatal auto accident, two days before I was to return to class from coop. I was in the hospital here at home in South Carolina for a month, and in a wheelchair for two more. Needless to say, Drexel didn't see this as a valid reason to miss class, and killed all my financial aid. So, I've not returned.

          Yet all my accounts still work :)
          • why am i not surprised.....

            well, i'm sure you've heard some things about recent Princeton Reviews....

            Drexel recently was #1 in "Campus is small, unsightly, or both" in Sept 2000, then #6 the next.

            Same Sept 2000 Drexel was #19 (or was it 15?) in "Dissatisfaction with Financial Aid" Following year was even worse, something like #7.

            Right now campus looks horrible. They're building an addition to Matheson between the building and the 33rd St Green Line entrance, its fenced off and you cant get to the quad that way (there will be an underpass when finished). They built a small gallery behind Nesbitt, was more fencing, but that finished last month. They've moved the trucks to Ludlow (after repaving Ludlow) and are tearing up 32nd St by Main to build a park and it's all fenced off (I actually have a funny story about that, triangle's website unfortunately seems to have lost my commentary on it - the link points to the wrong story). The president's mansion (next to Van R) is being renovated into a student center, and yes more fencing there. Drexel just obtained the permits to build on that triangle by the Firestone, they're planning a small "Drexel" signage, most likely more fencing to appear. Spring Jam is this weekend, and no doubt fences will appear closing off the field from outsiders.

            They also closed off the basketball courts behind Calhoun so they could store construction equipment for everything. They would've used the old laundry lot (32nd & Powelton), except residents complained. Hope the PVCA realized they shot themselves in the foot because Drexel then took away the court many of their kids use.

            Yeah, things are a little rough around here logistically. Hopefully all this should be done by the end of summer so I can at least enjoy myself and not worry about hard hat areas for my senior year.
  • by Dimwit (36756) on Monday May 13, 2002 @01:59PM (#3511486)
    When I was working in Europe for a while, we had an IT director who assumed that he knew everything possible about Unix. (It should go without saying that he didn't.)

    When I was hired on, I promulgated the first initial+last name standard. Considering this company was around thirty people, and was never expected to grow past about forty-five, this scheme seemed to work well.

    However, he threatened to fire anyone who didn't use his standard: first letter of first name + second letter of first name + first letter of last name!

    Now, with my scheme, we had zero collisions. With his, we had about four. His solution?

    first letter of first name + third letter of first name + first letter of last name! And so on...

    Never work for these people, they're insane...
    • I kinda like this idea. Except I'd make it first two letters of first name + first two letters of last name.

      And then I'd change my name to Robert O'Toole.
    • I may have dealt with him myself! :)

      A few years ago I had to email a number of people at one company. Most names were in the format jbloggs@company.com, so they were fairly easy to remember.

      However this person's email address was 'xx' followed by the first letter of his first name, the last letter of his first name, the first letter of his surname and finally the last letter of his surname. No one else at the UK arm of this company appeared to use such a scheme.
  • by singularity (2031) <nowalmart@@@gmail...com> on Monday May 13, 2002 @02:03PM (#3511516) Homepage Journal
    I am a person who does not go by my actual first name. Indeed, the name I go by is not actually listed on my birth certificate. The first initial of the name I go by does not match the first letter of my first name, either (I go by Hank Zimmerman, and my name is actually Charles Zimmerman)

    There are quite a few people like me. I always find it a problem when someone wants to use my first name as part of my log-in/email address.

    In a business setting, it means explaining why the name in the email address does not match the name of the person they just met. For all contacts, it means that the person trying to email me needs to remember my *real* name.

    If a system is put in place such as last_name.first_initial or first_name.last_name, do not simply go by the name listed according to the HR department.
  • by forehead (1874)
    Three letter intials work pretty well for user bases less than a few thousand. The vast majority of the time, users get their birth initials. In cases where people do not have a middle name, fill it in with an uncommon letter (e.g. x). When there is an overlap, other variations like the first two letters of the first name, and last initial (or simmilar).

    The user names are short, which makes them pretty easy to remember. They generally have some reasonable association with the persons name (which also makes them easy to remember). Plus, there are a variety of schemes to use in case of a collision.

    Of course it isn't perfect, and some people will end up with wacky intials, but that is a very small percentage of the time. If the number of anticipated users is too large of a scheme like this, add the department as part of the domain (e.g. abc@art.university.edu or foo@pld.company.com).
  • I have the answer. (Score:4, Informative)

    by His name cannot be s (16831) on Monday May 13, 2002 @02:13PM (#3511579) Journal
    I've often wrestled with this too.

    One company I've workded for was quite good about comming up with the usernames for people, and keeping them unique:

    use up to 4 characters of their last name+the last 4 digits of their social security number.

    Works great. Everyone can remember their own, and I've never seen a duplicate. (sera7492)

    !S
    • by Anonymous Coward on Monday May 13, 2002 @02:26PM (#3511652)
      use up to 4 characters of their last name+the last 4 digits of their social security number.

      There are a lot of places which use the last four digits of the SSN for identity verification. I'm not sure I'd like to have it be part of something as public as my email address.

      • Yeah, major security boo-boo. I worked at a place that used your initals plus the last for digits of SSN. It daily re-affirmed that workers are no more than a number to them. Working there felt like THX1138 [imdb.com] without the drugs.

      • indeed, I was asked the last 4 digits of my SSN as a verification during a phone call less than 24 hours ago
    • At my wife's college, they use (First initial)+(Middle Initial)+(Last Name)+(last four SSN + last four student #)...
      so you end up will WHGates6666... of course, at my previous school, your student # *was* your SSN... This seems to work fairly well, but I wonder why they bother with adding the ssn if they already have a (nearly) unique student#... there aren't very many people with the same name that would get the same last four digits (being that there are far less than 10k students there at a time)...
      • I know of one which uses the first,middle,last initials + last 4 SSN format. Currently I know of 9 collisions there (they add a letter after the numbers to resolve). Their solution to resolve the collisions has problems of its own. Occasionaly people write code expecting the AAAXXXX format or have a 7 character entry limitation which prevents those people with the letter from logging in.

        I think what increases the chances of a collision is if someone doesn't have or use their middle name, they use 'x' in its place. People from a lot of different cultures don't have middle names so if there are a lot of foreign students (like at a tech school), the chances of collision increase. Now that I think about it, those foreign students don't have SSN's so whatever they use to substitute for SSN's may increase the chances of collision as well.

        Schools which receive federal funding (i.e. all of them) were supposed to stop using SSN's as unique identifiers years ago but many still do.
    • We do this at my Uni, but we use the last four of our internal database's person id instead of the social security number. We started doing it three years ago when we got a new CIO -- he claimed that at his last job they never had a collision (with over 10,000 students) in a long period of time (I can't remember how long off the top of my head). However, in the last three years, we've had two, and we have far less students than that.

      Still, it's better than our previous method. Far less collisions, even if the usernames look like AOL/Hotmail/Yahoo! logins.
    • Better, would be 2 letter initials + random 4 digit number. Soc Security #'s would be bad, as would any incrementing scheme. Though, I've worked at a few Fortune 10 companies before, they *might* start having namespace problems there (4 digits is 10,000 possibilities). I don't particularly like 3 letter initials though (some people don't have them) or 5 digits (starting to go overboard). I definitely don't recommend dropping below 4 digits, even in a small business enviroment. 4 digit random number makes it tough to even guess the account name, at least until that starts filling up.
    • I've found the best email name is in the form of:

      ..---

      At the very least, I know that my credit has gotten a lot better since I've implemented this system at work...
  • First, schools:
    High-school: Only XTs. No network. No login. Only bootdisks.
    College: Student number. The email was the same.
    University:
    Department is Initial+Lastname (eg, jdoe). The duplicates are labeled jdoe, jdoe1, etc.
    Faculty is 3FirstLettersOfLastName+Initial+Number, as in doej01.
    Lastly, the University introduced a campus-wide login. I think it involves the year in which you began to attend classes here, along with a variation of your name and a sequential number (along jdoe9901).
    There's also a campus-wide email system, different from the previous, where the username is your student number, but you can choose an alias which is a variation of your name: jd1, johndoe, jdoe, doej, john.doe and maybe others.

    Work places:
    The first one was the same thing as my faculty (jdoe01).
    The second one had the employee number to login, but you also had an alias for email based on your name. The translation from name -> alias wasn't constant, though, so you had to lookup in the employee list (~50000) to know the email address of somebody.
    Lastly, another one was mostly only the firstname. The company wasn't very big (~250), and it wasn't uniform at all. I heard that it changed since I left, with emails being firstname.lastname, but I don't know about the usernames.

    And of course, my own systems:
    There's my normal user (firstname), and root. Although I'll probably change root for something meaner.

    Those are my experiences with usernames. Hope it can help somebody find their best choice.
  • My company's scheme produces really sucky names.

    I'd like to have the flexibility to pick my own username along the lines of short first name handles ("gus"), or 3 letter acronyms ("rtm"). But, no, we get a standardized way of butchering things into mostly unique but guaranteed unpronounceable gibberish.

    It would be good if there was a web based client that allowed people to pick any unused, inoffensive name.

    We have web based interfaces for helping to pick new passwords - why not usernames?

    Finally, as networked directory services become more commonplace (LDAP, etc.) the username seems to have diminished importance to the position it had many years ago. Not such a big deal.

    • I've been supporting the idea of letting people choose their own usernames for a while now, after working in a large company that uses the 1st initial - lastname convention.
      My main reasons:
      1) People often change their names, especially women who get married or divorced. A user-chosen handle shouldn't ever have to be changed
      2) Usernames based on real names usually end up with collisions. If you have 4 people named S. Johnson, you can have sjohnson1, sjohnson2, etc. But then when the first S. Johnson leaves the organization, sjohnson3 will want to know why she can't have her username changed to "just sjohnson"
      3) Instant messaging and certAin OnLine services where people get to choose "creative" handles, have become so commonplace that carrying over the convention to a business or academic environment shouldn't be too difficult, even to those ouside geek culture.
    • After long debate, that was what we decided at a previous employer of mine.

      People change their names, for many reasons, none of which are the employer's business. Marriage, divorce. etc. In some circumstances, someone's previous name may become deeply offensive or distressing to them.

      Some people are only ever known by their nicknames.

      Other examples abound.

      Names are important to people. The employer has no business is saying (effectively) "We're going to call you Bruce!" (Cue Monty Python reference here).

      We did however have a few extra rules that had to be applied.

      1. First come, first served. No exceptions. If your preferred username is taken, choose another.
      2. No re-use of the username. Ever.

      Also important to understand that this was the username, which is not the same as the email address.

      For email, we had another set of rules.

      1. Right to have the email address 'unlisted' (not appear in the LDAP directory)
      2. Default assigned name was firstname.lastname, disambiguated with initials if necessary.
      3. Multiple email addresses were permitted (one was marked 'primary'). Users could choose multiple aliases if required.
      4. Again, first come, first served.
      5. No reuse, ever
  • CDC (Score:5, Interesting)

    by rubinson (207525) <rubinson@email.ariz o n a . edu> on Monday May 13, 2002 @02:16PM (#3511596) Homepage
    My girlfriend used to work for the CDC in Atlanta; my stepmother still does. They use one of the more bizarre naming conventions that I've seen: inital letter of first name, random middle initial, initial letter of last name, increment number.

    This works fairly well for my stepmother who doesn't have a middle name. She became "dxh4 at cdc.gov." For years I thought that they gave her an "x" because she doesn't have a middle name.

    I learned differently when my girlfriend -- Nisha Bipin Gandhi -- became a nag. Specifically, "nag3 at cdc.gov." Needless to say, she got a lot of teasing for that - especially from me.

    They've recently started assigning more reasonable email address based upon initial letter of first name and last name but all of the old user names are still floating around.
  • by gi-tux (309771)
    I used to work at a large medical institution. We had a large population of female employees, and as such had employees undergoing name changes quite frequently (marriage and divorice, etc). To overcome this issue we quit using last names in the username totally. We used the first 5 characters of the first name and a 3 digit sequence number.
    This carries with it the problems of remembering your username, but with everyone wanting to keep their username matching their current last name, we were changing about 20 usernames a week on about 30 systems.
  • I worked for a company who used a 5-2 scheme.

    The first five letters of your last name followed by the first two of the first name was your login.

    A guy who used to work there by the name of Les Hedrington had "hedrile" as his.

    It was confusing, at first, but they had a suprisingly low number of duplicates.

  • whatever happenned to letting employees make decisions ?
    just give em a choice of first letter of first name+MI+first letter of surname or let them choose on their own.
    a 3 letter email+login is dead simple to remember. add numbers if required.
  • Just... (Score:5, Funny)

    by Tom7 (102298) on Monday May 13, 2002 @02:46PM (#3511768) Homepage Journal
    Just use a 128-bit hash of the person. That way, user ids are unique, easy to calculate, but hard to guess.
    • Just use a 128-bit hash of the person. That way, user ids are unique, easy to calculate, but hard to guess.

      Not to mention remember :o)
      • Re:Just... (Score:2, Funny)

        by Trinn (523103)
        What...you mean you can't do 128-bit hashing in your head? What kind of geek are you???
        • Re:Just... (Score:3, Funny)

          by schon (31600)
          you mean you can't do 128-bit hashing in your head? What kind of geek are you?

          The married kind :o)
  • by sclatter (65697) on Monday May 13, 2002 @02:57PM (#3511899) Homepage
    As far as using full names goes, the Sendmail FAQ [sendmail.org] explains sufficiently well why that's a bad idea. See Q3.5.

    Especially in a corporate environment, people expect to have reasonable looking user names. Most folks won't put up with being sfc123; it just is not professional.

    This means that while it's a good idea to have guidelines, you can't be too much of a stickler. If a sales guy was jschmoe at his last three jobs, and all his contacts know his email as jschmoe, then it's really best if he can continue to be jschmoe. Forcing him to be joes341 instead doesn't make anyone happy.

    Collisions are certainly an issue, but that's not the only problem. For example, a popular default choice might be first initial last name. Using that standard at one job we ended up with a "pharter" (say it out loud), and at another job there would have been an "aryan". These things just don't work.

    Ideally I like to allow users their choice of login. I encourage them to select one of first initial last name, first name last initial, or initials. Every now and then someone will come along and want a login like "coolguy" or something completely random. Depending on the company culture and whether the user is "customer facing" I might be lenient.

    I've worked in organizations up to a few thousand users and this system has worked fine. In a truly huge organization you'd end up having user names that look like AOL, though. Certainly in an educational environment I imagine a more authoritarian system would be warranted.
    • I've worked in organizations up to a few thousand users and this system has worked fine. In a truly huge organization you'd end up having user names that look like AOL, though. Certainly in an educational environment I imagine a more authoritarian system would be warranted.

      I don't buy it. The University of Michigan [umich.edu] allows everybody to pick whatever they like. Their system, known as uniqname [umich.edu], has been running for at least a decade, and they must manage on the order of 75,000 users with a turnover of at least 10,000 per year.

      The main reason to go with the hideous names that many places hand out is because it's slightly easier for the sysadmins, no matter that if it's a royal pain for the users.

      I laugh especially hard at places that try to encode all sorts of information in the username, especially things like status (faculty, staff, student), school (undergrad or grad, engineering or liberal arts), or year of graduation. That may have been handy back before the invention of the network-connected database. But stuff like that changes all the time; making them change their ID seems much dumber than just looking up their status when you really need to know it.
  • If you want a system that is easy for all, then using a convention on the name of the user will be helpful. You don't want to create double-duty for the admins, and a scheme where the forgetful users ask the same question about an obstructed convention.

    - firstname.[middle-int.]lastname
    - FirstletterLastname[year_Of_graduation]
    - lastname.firstname

    But if you're concerned about security, then you need to think about something else. Anytime you have a converntion system, there is always a possibility of security risk. Look at all the credit card companies, who use their algorithms to make unique numbers, that we can download code off the net to test, and create our own 'fake' numbers. So once you have a convention, there is always the potential for security risk.

    If you want to ensure security, you might want to look into something like SecureID, or using time based logins, or some other stuff.
  • Christ (Score:4, Funny)

    by yamla (136560) <chris@@@hypocrite...org> on Monday May 13, 2002 @03:23PM (#3512095)
    My first name is Christopher but I normally go by 'Chris'. And my last name begins with the letter, 'T'. At both my current job and my previous job, that worked out to an email address of 'Christ'.

    I am rather amused by this.
    • I too had a similar experieance, but my last name begins with an H. what my dept did was assign first minus one letter as neccessary (fucked up, i know).
      I, too, got Christ.
  • My company decided that my login wasn't good enough (set by an old standard), and changed it to fit the new standard. Unix handle it okay, but it took weeks to synchronize all the databases I use (bug reporting system, system outages reports, etc). There are still some databases that I cannot access, but I don't use them anymore and I'm tired of getting things changed. They can deal with the disk space they are taking up.

  • I haven't seen anyone use this yet but how about first init, last name, last 4 of phone number.

    It makes it easy to remember, real hard to come up with duplicates and avoids the problems of Jeffrey Smith who "everyone calls" Jeff. As well as John T Smith and John A Smith which normally become the exceptions to the rule.

    But there are still some things to take into consideration. The company I work for (or more specifically worked for before we got bought) had an employee named Pamel Enis. This is where their first init, last name convention went out the window.
    • That's great until your phone number changes. I've had >this number now for two years, but I've been places where I moved every friggn' month or so and my phone didn't move - I just got the one in my new cube.
      • In that case you set up a forwarder.

        But to be honest, any company where you have legitmate outside customer or vendor contact shouldn't be bouncing you from phone number to phone number anyhow. It's a 10 second switch on most PBX's to make your phone number follow you, if your company can't handle that I wouldn't expect them to handle your e-mail address any better.
  • The user names for students used to all start with an 's' and then 7 distincitve digits of the ID number (we have a 9-digit ID number here in Israel, first digit is always zero, last digit is checksum). Very secure scheme indeed.
    However, a few years ago the system changed to allow users to pick any login of up to 8 letters starting with 's' when they open their account. They were smart enough to disallow account names starting with 'sys' (I know, I tried ;). Still, we have accounts such as 'sex', 'sexyguy', 'someone', 'site', and my personal favorite: 'sisadmin'.
    Luckily, grad students are not required to start their login with an 's'.
  • Assume that the person is John Doe, and their extension is #1234. Then you'd take first initial, last initial, and the extension - jd1234. Should be basically unique, and if you know the person's name and phone number, its easy to guess the email address.

  • SSNs! (Score:4, Funny)

    by anthony_dipierro (543308) on Monday May 13, 2002 @05:50PM (#3513130) Journal
    I like using social security numbers. Everyone in the world has them and they're 100% unique. Plus you can use the fact that someone knows their SSN to prove that they are who they say they are.
    • Wrong assumption. I don't have one. Also, while it's hard to know someone else's number, it's not 100% impossible.

      Maybe your concept of "the world" means "USA" or something like that?
    • No joke - my both my undergrad and grad school DID THIS, and refused to budge when people complained about it.

    • I like using social security numbers. Everyone in the world has them

      Ugly american syndrome strikes again. Gee. :S
      • I like using social security numbers. Everyone in the world has them

        Ugly american syndrome strikes again. Gee. :S

        I wasn't aware that tongue-in-cheek humour was strictly an American thing.

  • you could easily have a username generator that could either keep track of previously generated usernames (an ungainly solution) or construct the username based on some other key (employee ID, for example). the username segments would be selected from a dictionary constructed for the purpose (say a list of canimal and plant names).

    My solution might look something like this (assuming that the employee ID is 6 digits long):

    1. construct nine lists of plant and animal names, 10 names in each list, total of 90 names lists
    2. select one plant list and one animal list using the first two digits of the ID
    3. select a plant name using digit 3 of the ID
    4. select an animal name using digit 4 of the ID
    5. digit 5 is used directly in the username
    6. use the final digit of the ID to determine how to combine the two names and the digit to form the username.
    The resulting usernames (looking something like rose5dog or 3cowdaisy ) will be reasonably memorable, guaranteed unique and moderately hard to guess by a dictionary attack.

    If security is not a concern, however, I would go for the path of least user anoyance and let user's select their names with some feedback from the admin staff (in case the name is already in use or is, somehow, obviously offensive). I don't see any good reason why I shouldn't be able to have dutky or, at worst, jsdutky as my username (I can guarentee that I am the only J.S.Dutky on the planet, so what's the problem?)

  • by GregWebb (26123) on Monday May 13, 2002 @06:51PM (#3513482)
    This was doing the rounds a while back. Whether it's at all true I don't know but hey, it's funny ;-)

    --------------

    Many colleges and business's tend to strip the last name down to 6 characters and add the first and last initial to either the beginning or end
    to make up an e-mail address. For example, Mary L. Ferguson = mlfergus or fergusml. They are just now
    beginning to realize the problems that may happen when you have a large and diverse pool of people to choose from. Add to that a large database of
    company/college Acronyms and you have some very funny addresses. Probably not funny to the individual involved, however:

    TOP TEN Actual E-mail Addresses
    10. Helen Thomas Eatons (Duke University) - eatonsht (at) dku.edu
    9. Mary Ellen Dickinson (Indiana University of Pennsylvania) - dickinme (at) iup.edu
    8. Francis Kevin Kissinger (Las Verdes University) - kissinfk (at) lvu.edu
    7. Amanda Sue Pickering (Purdue University) - aspicker (at) pu.edu
    6. Ida Beatrice Ballinger (Ball State University) - ibballin (at) bsu.edu
    5. Bradley Thomas Kissering (Brady Electrical, Northern Division, Overton
    Canada) - btkisser (at) bendover.com
    4. Isabelle Haydon Adcock (Toys "R" Us) - ihadcock (at) tru.com
    3. Martha Elizibeth Cummins (Fresno University) - cumminme (at) fu.edu
    2. George David Blowmer (Drop Front Drawers & Cabinets Inc.) - blowmegd (at) dropdrawers.com

    ..but at No 1, it had to be...

    1. Barbara Joan Beeranger (Myplace Home Decorating) - beeranbj (at) myplace.com
    • (sorry, meant to post this last night, tried and got told to slow down, cowboy!)

      Why doesn't Slash warn me that I'd moderated in this thread before posting? I'm well aware of the moderation rules, but had completely forgotten that I'd modded the thread. The only notification I was given was text coming on screen stating that mods were being undone AS I POSTED.

      Really, would be helpful if I was warned by comments.pl that I'd already modded...
  • Unfortunatly there's no easy solution.
    Where I work we went through a series of mergers and takeovers a few years ago and the naming conventions got a little messy.

    Originally it was set up as "last name (up to 8 chars), first initial, middle initial"; for an 10 character total length. The only problem we had was with 2 employees with long names that started out similar. I don't remember their names but one ended in "-ski" and the other ended with "-vich." Same initials, too.

    After several mergers it was decided to combine the seperate email systems and go to a "first initial, middle initial, last name" (up to 12 chars). And the problems began.

    First was the "Smith Problem." We had 4 Dave Smiths, all with middle initial "L" and 3 of them with the middle name of "Lee." Fortunatly one had the nickname of "Sparky" and so was SPARKYSMITH and one agreed to be known as DLSMITHUK, as he was based in the UK. The other 2 were listed as DLSMITH and DLOUISSMITH. We also had several other Smith's whose initials were the same.

    This didn't just affect email, it also affected the phone directories, as management chose to have one big directory for the whole company instead of dividing it down into regions and operational areas and listing everyone by just their first and last names.

    So we now have many more duplicates: 2 Dennis Millers (with the same middle name), 4 Brenda Petersens, 3 Linda Petersens, 2 Bob Pattersons, 2 Cathy Andersons (and one Kathy Anderson, very confusing), 4 Richard Andersons, 3 Mark Johnsons (and 2 of them are Mark Robert Johnson), 3 Steve Thompsons, 3 James Wilsons, 2 Alan Wrights... and those are just the duplicates I deal with on a regular basis. There are many more. It's not uncommon to have someone call the wrong person on the phone or send an email to the wrong person. Some users in frustration just send mail to ALL the users with similar names and let the recipients sort it out.

    It was suggested last year we go to using the employee number for email but the execs balked at that idea. Probably because they can't remember theirs.

    For now when we add a new employee whose name is similar to an existing employee we just add a number to the end of the user name, "KLJones2".

    So far it's working, for email at least. Phone directory is still a mess, though.
  • I can say that Georgia Tech's usernaming scheme pretty much sucks. It works like this:

    gt<Letter assigned to the year you entered Tech. For instance, you could have entered during year 'e' or year 'g' recently><three random numbers><random letter>. Believe me, telling people that you're email address is gte172u got a lot of strange looks amongst my non-Tech friends. Of course, my Tech friends just nod, knowingly. :)
  • I have worked at six companies, ranging from 3 - 250 employees. We have all used first initial, last name without many problems. Obviously, you have to get a little creative to resolve collisions. Also, the first ten or so people at a startup typically horn into getting their first names as logins.

    The caveat is that NIS has a maximum username length of 8 characters, which sucks. If you are using NIS, keep this in mind.

  • At the university I work at we use first initial then last name. If there are multiple people with that same first initial, last name they start tacking on numbers to the end. I haven't heard of this being a security problem even though it very predictable.
  • i like user choice. i would have picked my last name, or my first intial at last name, but instead i got my initials followed by three increment digits. it would be quite nice to be able to choose and just giving choice based on first come-first serve. in a university with over 40,000 people, i would still get first initial + middle initial + last name, although we do have a first-come-first serve email aliasing system, so for example the first smith to register gets smith@, there are also firstname.lastname@, firstinitial.lastname@, etc. so the first john thomas smith can get mail at smith, j.smith, john.smith, j.t.smith, john.t.smith, and probably many otherthings. i have decided that i will now put firstinitial.middleinitial.lastname on my resume b/c it looks nicer and easier. the even more annoying things is that people who work as computer admins get whatevertheywant@, although they disabled that as of last year, so although i just got hired, i still have to settle for my initials and random digits as my login, although i can now use a much nicer email alias. oh well...it would probably be hard to transition with so many users in place already. i will bring it up to my boss, though...
  • Both at uni and my current employer, it's just firstnamelastname. No length limits, no remembering combinations of character limits, and no collisions so far as you can have the same username in different OUs and it couldn't care less. Chances of having two people with the same name in the same office (each 100 users max) is exceedingly low. At uni they used an OU per entry year per department.

    Find it hard to believe that people still run systems with 8-character limits on usernames, yet use the micros~1 gag :)

"No job too big; no fee too big!" -- Dr. Peter Venkman, "Ghost-busters"

Working...