[BBLISA] Enterprise user account naming standards?
John Stoffel
john at stoffel.org
Fri Feb 17 14:49:21 EST 2006
Adam> "Eddy Harvey" <bblisa at nedharvey.com> wrote:
>> Is there a reason you need 8 chars or less?
Adam> Yes: POSIX notwithstanding, there is just too much software that
Adam> will choke on usernames longer than eight characters. This
Adam> shouldn't be true, and maybe you're lucky enough that it's not
Adam> true for you, but I'm not willing to take a chance with longer
Adam> usernames because I *KNOW* I'll have to change it down the line.
If you're lucky enough not have many legacy systems at your job, then
you can probably get away with usernames longer than 8 characters. I
seem to remember that Lucent allowed upto 14 characters, which beyond
that it broke some mainframe app.
Mind you, long usernames worked just fine on Solaris 2.6+, but they
didn't display worth beans, which caused all kinds of confusion.
So in a roundabout way, 8 characters is a good limit.
Adam> To a point: Studies have shown that too much complexity and the
Adam> user swill simply write their passwords on slips of paper (and
Adam> probably keep them close to their keyboards).
Hear hear! Make them choose GOOD passwords, but only make them change
them twice a year at most. I have to change every 45 days here at my
current work on the PC side and it's a pain. Most people just permute
the same base password with numbers in there to make it easy to
remember.
It's all social engineering, just look at the comp.risks archives for
examples. Hey, who remembers "Ferris Bueller's day off" and how he
social engineered the username/password to the school computer system?
Same thing still happens today all the time...
John
More information about the bblisa
mailing list