>> I am interested in the list's view concerning keeping user account
>> names from being distributed freely (e.g. as part of mail adress)
>> on the Internet.
>> Another way of posing that question is: do you see any security
>> advantages in keeping user account names "hidden"/"secret"?
>> My view is that user account names should not be a security factor at
>> all, and that if they are, something is wrong with the security
>> paradigm being used. But, then again, I don't believe in passwords
>> (well, the usual reusable kind) either, so what do I know....?
> Well, Letting folks know login names gives them a place to start
> trying their password guesses... I personally think sites should
> hide login names in email
Wouldn't that be what they call STO? (security through obscurity). Most of the
shops where I've worked use your initials as your user id. If your name is
John Paul Jones your Id is JPJ. So hiding the Ids doesn't buy much (IMO). One
former shop gave me ISOSO10. All the user Ids were like that. It *did* obscure
the owner of the Id, but on the other hand you couldn't ever tell who was who.
Also know of military shops who create sequentially numbered Ids (e.g. A001,
A002, A003, etc.) and equate them to a job position. If you start out as a
buck private using A030 and you get promoted you would get a new ID, A025 for
example. Whatta maintenance nightmare. IMO you shouldn't worry about hiding
IDs but rather concentrate on them not being (ab/mis)used.
Cheers, Larry
|
|
