Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

User Naming Practices?

Cliff posted more than 12 years ago | from the mangling-yer-moniker dept.

Unix 109

Kymermosst asks: "Recently, this post was made to comp.sys.sun.misc, and sparked a large debate on the subject of usernames. What standardized user-naming schemes are used out in the 'real world,' if any? Has any company's scheme become a security risk due to its predictability? Were any benefits gained by using any particular system?"

cancel ×

109 comments

recent change here (2, Insightful)

LuxFX (220822) | more than 12 years ago | (#3511336)

We've recently changed from a <first initial><first six letters of last name> scheme to the <first name>.<last name> scheme, and it's generally been a pain because of 1) the extra typing, and 2) we now must know exactly how to spell those long and difficult last names, instead of just needing to memorize the beginning six letters.

As for a security issue, I would say the <first name>.<last name> scheme would make it easier to get back at a certain individual, but not so practical for automated actions. For instance, if your least-favorite person in the world is at john.doe@company.com, it would be easy to direct every piece of SPAM into the world to his email box with only the basic knowledge that he works at company.com.

Re:recent change here (3, Insightful)

J'raxis (248192) | more than 12 years ago | (#3512152)

Actually, the first-name/last-name scheme makes dictionary-attack spamming extremely simple. Spammers dont care if they hit 1,000,000 bad addresses, all they care about is getting a few through...

aaron.aaronson@foo.bar,
abel.aaronson@foo.bar,
abraham.aaronson@foo.bar,
adam.aaronson@foo.bar,
...

The same goes for a first-initial/last-name scheme (aaaronson, baaronson, caaronson, etc.), and any other similar scheme.

Re:recent change here (0)

Anonymous Coward | more than 12 years ago | (#3516916)

Better yet (if you are a spammer or someone with poor memory) are Lotus Notes systems.

Notes will automatically make a best guess at usernames -> people mapping based on information in the directory. So, "aaron.aaronson@foo.bar" and "aaaronson@foo.bar" will both get delivered to Aaron Aaronson even if the published e-mail address is "J'raxis@foo.bar" or something.

last name first initial (0)

Anonymous Coward | more than 12 years ago | (#3511339)

with a name like here it is last name then first initial, so i am browne cool huh

Re:last name first initial (1)

caca_phony (465655) | more than 12 years ago | (#3512014)

just wait till Ken Chin gets hired

Re:last name first initial (1)

Mathness (145187) | more than 12 years ago | (#3512534)

And from People.com they had to fire Flungpoh Woo.

Re:last name first initial (1)

koogydelbbog (451219) | more than 12 years ago | (#3516591)

we used this in my last job. Tom Farr wasn't best pleased...

andy

Security risk? (5, Funny)

bconway (63464) | more than 12 years ago | (#3511359)

No way. However, the IT group was kinda surprised that Steve Lutz insisted on keeping with the first letter + last name naming scheme. I shit you not.

Re:Security risk? (3, Funny)

watchmaker1 (540289) | more than 12 years ago | (#3512459)

My first name is Chris, My last initial is T. In the entire several hundred person staff full of people with first name last initial, I was the only one with a different username, as the ultra religious sysadmin manager refused to create me the login "christ".

Re:Security risk? (2, Funny)

jo42 (227475) | more than 12 years ago | (#3513137)

Once we had a guy named Bob O. I didn't set him up as "bobo@"...

Re:Security risk? (1)

sysadmn (29788) | more than 12 years ago | (#3518513)

Don't forget Mary Elizabeth Cummins, who went to Georgetown. Georgetown uses (used?) First six of last name + first initial + middle initial.

Re:Security risk? (1)

jjsoh (466262) | more than 12 years ago | (#3520046)

We once had a user named Yoyo (she was Taiwanese and I work for an Asian company). Her name in itself is kind of weird, but her last name was Yang. So, her email was 'yoyoy@...

Not that it's really funny, but I thought it was pretty unique. Still, I guess it can be tricky if you try spelling it out for someone over the phone.

Options (2, Interesting)

sydb (176695) | more than 12 years ago | (#3511362)

Employee number. Benefits: Unique, ties into company systems. Drawbacks: Difficult to remember (especially if your not the relevant employee).

Some combo of the employees name: e.g. initialsurname: mpacey (me). Benefits: Easy to remember, even if your not the employee. Drawbacks: duplicates - jsmith (though you can always have jsmith001-999.

I know of no other systems that I'd consider useful for large numbers of users.

Re:Options (0)

Anonymous Coward | more than 12 years ago | (#3513245)

I've seen first four letters of the person's first and last name. Like johnsmit. It would solve some of the dupliacte problems. It also isn't hard to remember.

The downside to it is it might look a little funny for some names, not mine though, my first and last name are both four characters long! :)

Re:Options (0)

Anonymous Coward | more than 12 years ago | (#3516487)

Anonymous Coward says "my first and last name are both four characters long! :)"

You count funny! Wouldn't you be "anoncowa"?

sequential is a bad idea (2, Interesting)

linuxbert (78156) | more than 12 years ago | (#3511367)

A community Freenet i am a member of uses sequential userid's in the aa001-zz999. it becomes really easy to spam members as all you have to do is vrite a looping incramental script and you can hit 60,000+ id's

at work im the first 6 chars of my last name 1st initial. it works, except for the boogerj@.. :)

Re:sequential is a bad idea (2)

Sentry21 (8183) | more than 12 years ago | (#3511634)

at work im the first 6 chars of my last name 1st initial. it works, except for the boogerj@..

And I thought mine was bad. dudey@... (D. Udey) is either read as 'dude y' or 'doodey', neither of which is particularly fun. fortunately, 'danudey' is a short enough username for any system I've ever used.

You could always go for entirely nonsensical names. My UNB ID is 'd93w4'. the 'd' has nothing to do with my name (a friend of mine whose initials are ajb has 'o284e'), the 93 has nothing to do with the date I enrolled (2002), and I can't even think about what the w4 might mean but doesn't. As near as I can tell, it's pretty much either random or incremental somehow. Go figure.

--Dan

Network Solutions had the best scheme (2)

ConceptJunkie (24823) | more than 12 years ago | (#3511371)

Set up an e-mail account for every domain owner. Use a password based solely on the domain name. Mass e-mail everyone to let them know, and make sure it's "opt-out" rather than "opt-in". Sit back and watch the wackiness.

the age old debate ... (4, Interesting)

reaper20 (23396) | more than 12 years ago | (#3511379)

We use a combination of first.last, first 6 from last name then first initial, and, first.MI.last.

They all suck, I like Jedi names, first three of last name, and then the first two of the first name. Works remarkably well.

Re:the age old debate ... (1)

StressedEd (308123) | more than 12 years ago | (#3511418)

Heh heh,


I liked that one. I tried that out with everyone I know and:

It works pretty well

It's funny


You've got my vote...

Re:the age old debate ... (2, Funny)

alphaseven (540122) | more than 12 years ago | (#3511481)

Jedi names, that's works well with me and most people i know too... where did you get that nameing scheme from?

Re:the age old debate ... (0)

tps12 (105590) | more than 12 years ago | (#3511556)

I like Jedi names, first three of last name, and then the first two of the first name

That would make me vowel-free.

:(

Re:the age old debate ... (1)

ealar dlanvuli (523604) | more than 12 years ago | (#3512235)

aaron's and myers could mess that up me thinks

Re:the age old debate ... (0)

Anonymous Coward | more than 12 years ago | (#3522568)

Yah, but then my login name would be "jacmi". Just what we want on our corporate contact info, onanistic email addresses... ;-)

Our system (2, Interesting)

Anonymous Coward | more than 12 years ago | (#3511390)

Until recently my company had firstname_lastname, which was pretty annoying in many instances (such as email forms that did not allow _, or the fact that our Blackberries only have _ in the special characters section). Recently we switched over to firstname.lastname. Ready for the scary part? In the event of a clash, they go to firstname-middleinitial.lastname. So your email really could be john-p.smith@blahblah. Ewwww. Why they couldn't use .middleinitial. is beyond me.

Eons ago (1997 ish) I helped my company get internet email. We went with first letter+lastname. Except for this lady "Sridevi Sureshbabu", we thought it would be a little awkward for her to type ssureshb (Lotus having an 8char limit) so we just made her name sridevi. Sure enough, she complained that her name was different from everybody else's. Most geeks I know these days used to consider having just firstname@company.com be a badge of honor!

Re:Our system (5, Interesting)

Permission Denied (551645) | more than 12 years ago | (#3512178)

firstname_lastname, which was pretty annoying in many instances (such as email forms that did not allow _, ...)

This is highly annoying.

We have a very cool sendmail setup - it interfaces with our directory database, so, while my username is "flastnam" (first initial, first seven of last name), I get mail to f-lastname@, first-lastname@, first.lastname@, lastname@, etc. Ambguities are solved by bouncing the email, with a friendly message explaining exactly how our system works.

We have another neat feature with our sendmail setup - you can append a plus sign and any arbitrary string to the username part of your email address. So, Sybase thinks I'm lastname+sybase@domain.com, Amazon thinks I'm lastname+amazon@domain.com, etc. I now get zero spam and even I've caught one company selling my email address (and that email address was promptly procmailed away, for good).

The annoying part? Stupid, idiotic web programmers who've never heard of rfc822. They don't think the plus sign is a valid character for an email address. In actuality, an email address can contain almost anything except '@', a '%' or a '!'. Yes, email addresses can even contain spaces if you quote them: "FirstName LastName"@domain.com is a perfectly valid email address. For some reason, these web programmers write their regular expressions to only include certain characters, rather than to exclude the illegal characters. To these web programmers, I say: read rfc793, especially section 2.10. Your "security" principals are unsound: you shouldn't be passing any user input to anything that might interpret it as a shell command (can happen in perl if you're not careful), and SQL statement (happens in a lot of php code that I see that doesn't use addcslashes() or friends), or be putting your user input anywhere near an unchecked buffer (poorly-written C programs).

But enough of the rant. The non-rant portion of this message is that you might want to investigate separating your email address namespace and your username namespace. We do this, and it's quite nice.

Re:Our system (3, Insightful)

toast0 (63707) | more than 12 years ago | (#3512364)

Quoth the poster:
don't think the plus sign is a valid character for an email address. In actuality, an email address can contain almost anything except '@', a '%' or a '!'. Yes, email addresses can even contain spaces if you quote them: "FirstName LastName"@domain.com is a perfectly valid email address. For some reason, these web programmers write their regular expressions to only include certain characters, rather than to exclude the illegal characters. To these web programmers, I say: read rfc793, especially section 2.10.


Well... I for one need to read rfc793 (and any related rfcs), but its is far better ot include only certain characters than to exclude illegal characters for the simple reason that in the event of not including a necessary character, it is easy to fix, when users start bitching. But if you forget to exclude an illegal character, the usual way of finding that out is when your server gets hax0red.

Re:Our system (3, Informative)

dubl-u (51156) | more than 12 years ago | (#3512666)

In actuality, an email address can contain almost anything except '@', a '%' or a '!'. Yes, email addresses can even contain spaces if you quote them: "FirstName LastName"@domain.com is a perfectly valid email address.

I agree with the sentiment, but I don't think that's exactly correct. Those special characters are also allowed under RFC 822 [faqs.org] , just as long as they are quoted.

As a practical matter, both sendmail and qmail seem to allow those characters quite happily. I just sent email from qmail and sendmail boxes to a qmail box with addresses like "foo@@example.com", "bar!@example.com", and "foobar!%@@example.com", and all of them got to the destination machine and were delivered happily.

well, (2)

Beowulf_Boy (239340) | more than 12 years ago | (#3511400)

I am the co-director of my schools tech dept.
We have around 500 students tops. We use lastname_first-name. Mine being an exception, strunk_l , because I added it to the user list cause I am so lazy and log into to many machines in one day.
Also, we didn't standardize early, and many teachers where using last_first-initial to begin with, and since many teachers are very computer illiterate, we decided not to change it. All the students use the last_first though.

It has some problems, such as having two Mrs. Yeagers. So we have Yeager_C1 & Yeager_C2

What I would like to do when update the servers this summer is a better naming convention. I would like Department_Last_First-initial.
Example being Art_Henry_J Although that is what first comes to mind, I may think of a better one soon.

Re:well, (1)

xonker (29382) | more than 12 years ago | (#3513090)

About seven years ago I started classes at North East Missouri State, now Truman University, and we were tagged with random email/usernames like "T867" and "S996" - I worked at a college later that gave faculty and staff firstname+last initial email addresses like "joeb" and so forth - but the students got first initial, student ID, last initial or something like that. I believe the admin had whipped up a script to create usernames and such from a list of students, and they'd do a batch the first week of classes.

You could easily look up email addresses by name using a Web directory, but you couldn't just guess what another student's email address would be.

Re:well, (2)

pangloss (25315) | more than 12 years ago | (#3515928)

what do you do when someone changes departments? what happens when you hire someone who is 50% time in one department and 50% in another? etc. etc.

on a more humorous level, what about when you hire john english to to teach math and/or english? =)
oh better yet, arthur english the math teacher, but of course he goes by art ;)

Passwords (5, Insightful)

zpengo (99887) | more than 12 years ago | (#3511431)

The real danger is a standardized usernaming scheme + a standardized default password scheme (e.g., "password", or same as username). The "It won't happen to me" mindset takes over, and a majority of users never change their passwords. It's easy enough to get into anyone's account on systems like that.

My school did this. (2, Interesting)

smcv (529383) | more than 12 years ago | (#3511875)

They refused to give out usernames and passwords until we'd handed in a signed "I will not abuse these computers" form (signed by student if 18+ and able to sign legally binding documents, parent otherwise). Unfortunately, the usernames were (first initial)(last name) (e.g. jsmith) and the passwords were generated in a deterministic way from (IIRC) username + year of entry.

One of my friends only got round to handing the form in 6 months later, when the IT department noticed he'd never done so despite the fact that he'd logged in with his "secret" password and changed it rather quickly, then checked his mail daily :-)

Another dumb IT department, at my previous school, handed out numeric (4-digit) passwords, which we couldn't change (we were locked out of the relevant Control Panel applet - this was on Win95 + MS Notworking). Someone happened to notice that they seemed to go up in alphabetical order, and put 2 and 2 together - it turned out they were our pupil numbers, as printed next to our names on the register. Since in my class the pupils did the register more often than the teacher (he taught Art, what can I say), that wasn't a great plan.

some schemes i've seen.... (3, Interesting)

jeffy124 (453342) | more than 12 years ago | (#3511465)

-my school uses initials + two digits (William J Clinton -> wjc33)
-the CS dept systems use [u|g] (meaning undergrad or grad) + first initial, lastname, max N chars (uwclinto, uwclint2)
-there's the popular first initial, last name, digits as appropiate, up to N chars (wclinton, wclinto2)
-i've also seen first initial, middle initial, last name (all up to 6 chars), then a 2 digit number as appropriate (wjclin, wjclin2, wjclin11)

I've never seen first.m.last as login names in actual practice. I have seen them used as aliases for email addressing, but not the actual loginname.

as for which is the best scheme, it really depends on the size of the organization, IMO, and the size limit on the username field. If anything, that size limit will be what makes it tough.

As for usernames causing a potential security risk, one thing you can do is disable direct root login (ie, require su, even at the console), then log who's using su.

Under NT, disable "Administrator" login, and give an alternate loginname administrator rights. (note: I'm not sure if this can actually be done)

Lastly, always change default passwds and, if appropriate, disable guest logins.

Re:some schemes i've seen.... (1)

aderusha (32235) | more than 12 years ago | (#3511687)

FWIW - you can do what you suggest in NT, but it's easier just to rename the Administrator account to something innocuous.

For NT (2)

devphil (51341) | more than 12 years ago | (#3511775)

Under NT, disable "Administrator" login, and give an alternate loginname administrator rights. (note: I'm not sure if this can actually be done)

Actually, you could just rename the account. The "home directory" still points to the same directory paths, but those are stored in the registry and can be tweaked if you really feel the need.

Re:some schemes i've seen.... (1)

argel (83930) | more than 12 years ago | (#3512654)

Under NT, disable "Administrator" login, and give an alternate loginname administrator rights. (note: I'm not sure if this can actually be done)

That's a bad idea! What is to prevent someone from repeatedly trying to login as your administrator account until said account is locked??? And then what do you do if your policy is to leave accounts locked indefinitely? Even a few hours before the locked status is reset could be a huge problem. The answer is that you can login to the local administrator account from the console even if the account is locked.

UNIX isn't the only OS to assign certain privledges to accounts with special ID's. As others suggested, rename the account if you are that worried about it and then create a new account (disabled, in the guest group, with random garbage for the password).

Re:some schemes i've seen.... (2)

schnurble (16727) | more than 12 years ago | (#3518010)

Ah, sounds like Drexel to me.

Don't forget the old way of forming usernames, before the wjc33 format.

Mine was (and still is, since somehow I'm still an active student) st966f7k.

ST - Undergrad. SG for grad student.
96 - year I started Drexel.
6f7k - apparently the result of a hash function of your SSN. I've not looked, but possibly md5 or somesuch.

Of course, the next year, they started the cccnn format.

-j (ujdisher@mcs, st966f7k@post, mug@drexel.edu)

Re:some schemes i've seen.... (1)

jeffy124 (453342) | more than 12 years ago | (#3518593)

funny you mention that, Drexel IS where I go to school. yeah, the st95xxxx was a big whack job. Cant imagine trying to remember friend's addresses using that (actually, I do know some people with those usernames, thank god for aliases!).

Let's see, you started in 1996, probably a 5-year CS student. You probably graduated last June (a guess). I think they keep accounts active for one year after graduating, which would be why your account is still working.

How NOT to do it (5, Funny)

Dimwit (36756) | more than 12 years ago | (#3511486)

When I was working in Europe for a while, we had an IT director who assumed that he knew everything possible about Unix. (It should go without saying that he didn't.)

When I was hired on, I promulgated the first initial+last name standard. Considering this company was around thirty people, and was never expected to grow past about forty-five, this scheme seemed to work well.

However, he threatened to fire anyone who didn't use his standard: first letter of first name + second letter of first name + first letter of last name!

Now, with my scheme, we had zero collisions. With his, we had about four. His solution?

first letter of first name + third letter of first name + first letter of last name! And so on...

Never work for these people, they're insane...

Re:How NOT to do it (3, Funny)

bluestar (17362) | more than 12 years ago | (#3512687)

I kinda like this idea. Except I'd make it first two letters of first name + first two letters of last name.

And then I'd change my name to Robert O'Toole.

Robert O'Toole ("root") is taken (1)

yerricde (125198) | more than 12 years ago | (#3516406)

And then I'd change my name to Robert O'Toole.

Taken by a lawyer [robertotoole.com] .

Re:How NOT to do it (1)

shippo (166521) | more than 12 years ago | (#3516335)

I may have dealt with him myself! :)

A few years ago I had to email a number of people at one company. Most names were in the format jbloggs@company.com, so they were fairly easy to remember.

However this person's email address was 'xx' followed by the first letter of his first name, the last letter of his first name, the first letter of his surname and finally the last letter of his surname. No one else at the UK arm of this company appeared to use such a scheme.

Problem with names... (3, Insightful)

singularity (2031) | more than 12 years ago | (#3511516)

I am a person who does not go by my actual first name. Indeed, the name I go by is not actually listed on my birth certificate. The first initial of the name I go by does not match the first letter of my first name, either (I go by Hank Zimmerman, and my name is actually Charles Zimmerman)

There are quite a few people like me. I always find it a problem when someone wants to use my first name as part of my log-in/email address.

In a business setting, it means explaining why the name in the email address does not match the name of the person they just met. For all contacts, it means that the person trying to email me needs to remember my *real* name.

If a system is put in place such as last_name.first_initial or first_name.last_name, do not simply go by the name listed according to the HR department.

Re:Problem with names... (-1, Offtopic)

Anonymous Coward | more than 12 years ago | (#3511637)

Yeah, whatever you say, "Hank"-- if that's your real name.

Re:Problem with names... (2)

NoMoreNicksLeft (516230) | more than 12 years ago | (#3512590)

Crackmoderation strikes again.

Guys, advice like this is relevant to the question asked. What *is* on topic here, if not someone pointing out flaws in a common account naming scheme?

TLA (1)

forehead (1874) | more than 12 years ago | (#3511522)

Three letter intials work pretty well for user bases less than a few thousand. The vast majority of the time, users get their birth initials. In cases where people do not have a middle name, fill it in with an uncommon letter (e.g. x). When there is an overlap, other variations like the first two letters of the first name, and last initial (or simmilar).

The user names are short, which makes them pretty easy to remember. They generally have some reasonable association with the persons name (which also makes them easy to remember). Plus, there are a variety of schemes to use in case of a collision.

Of course it isn't perfect, and some people will end up with wacky intials, but that is a very small percentage of the time. If the number of anticipated users is too large of a scheme like this, add the department as part of the domain (e.g. abc@art.university.edu or foo@pld.company.com).

I have the answer. (4, Informative)

His name cannot be s (16831) | more than 12 years ago | (#3511579)

I've often wrestled with this too.

One company I've workded for was quite good about comming up with the usernames for people, and keeping them unique:

use up to 4 characters of their last name+the last 4 digits of their social security number.

Works great. Everyone can remember their own, and I've never seen a duplicate. (sera7492)

!S

Re:I have the answer. (4, Insightful)

Anonymous Coward | more than 12 years ago | (#3511652)

use up to 4 characters of their last name+the last 4 digits of their social security number.

There are a lot of places which use the last four digits of the SSN for identity verification. I'm not sure I'd like to have it be part of something as public as my email address.

Re:I have the answer. (3, Interesting)

Rick the Red (307103) | more than 12 years ago | (#3512309)

Yeah, major security boo-boo. I worked at a place that used your initals plus the last for digits of SSN. It daily re-affirmed that workers are no more than a number to them. Working there felt like THX1138 [imdb.com] without the drugs.

Re:I have the answer. (1)

LuxFX (220822) | more than 12 years ago | (#3518308)

indeed, I was asked the last 4 digits of my SSN as a verification during a phone call less than 24 hours ago

Re:I have the answer. (0)

Anonymous Coward | more than 12 years ago | (#3512274)

The school I went to used that scheme (first 4 chars of last name + last 4 digits of their SSN). They also used s+first 7 digits of SSN for the default password. Combine that with a security hole to get the encrypted password file, and a few hours with a password cracker... It still took a long time for them to be convinced to not activate all the accounts anymore.

Re:I have the answer. (2)

Tower (37395) | more than 12 years ago | (#3512281)

At my wife's college, they use (First initial)+(Middle Initial)+(Last Name)+(last four SSN + last four student #)...
so you end up will WHGates6666... of course, at my previous school, your student # *was* your SSN... This seems to work fairly well, but I wonder why they bother with adding the ssn if they already have a (nearly) unique student#... there aren't very many people with the same name that would get the same last four digits (being that there are far less than 10k students there at a time)...

Re:I have the answer. (2)

extra88 (1003) | more than 12 years ago | (#3513228)

I know of one which uses the first,middle,last initials + last 4 SSN format. Currently I know of 9 collisions there (they add a letter after the numbers to resolve). Their solution to resolve the collisions has problems of its own. Occasionaly people write code expecting the AAAXXXX format or have a 7 character entry limitation which prevents those people with the letter from logging in.

I think what increases the chances of a collision is if someone doesn't have or use their middle name, they use 'x' in its place. People from a lot of different cultures don't have middle names so if there are a lot of foreign students (like at a tech school), the chances of collision increase. Now that I think about it, those foreign students don't have SSN's so whatever they use to substitute for SSN's may increase the chances of collision as well.

Schools which receive federal funding (i.e. all of them) were supposed to stop using SSN's as unique identifiers years ago but many still do.

Re:I have the answer. (1)

MaufTarkie (6625) | more than 12 years ago | (#3512508)

We do this at my Uni, but we use the last four of our internal database's person id instead of the social security number. We started doing it three years ago when we got a new CIO -- he claimed that at his last job they never had a collision (with over 10,000 students) in a long period of time (I can't remember how long off the top of my head). However, in the last three years, we've had two, and we have far less students than that.

Still, it's better than our previous method. Far less collisions, even if the usernames look like AOL/Hotmail/Yahoo! logins.

Re:I have the answer. (2)

NoMoreNicksLeft (516230) | more than 12 years ago | (#3512631)

Better, would be 2 letter initials + random 4 digit number. Soc Security #'s would be bad, as would any incrementing scheme. Though, I've worked at a few Fortune 10 companies before, they *might* start having namespace problems there (4 digits is 10,000 possibilities). I don't particularly like 3 letter initials though (some people don't have them) or 5 digits (starting to go overboard). I definitely don't recommend dropping below 4 digits, even in a small business enviroment. 4 digit random number makes it tough to even guess the account name, at least until that starts filling up.

Re:I have the answer. (1)

RevDobbs (313888) | more than 12 years ago | (#3515008)

I've found the best email name is in the form of:

..---

At the very least, I know that my credit has gotten a lot better since I've implemented this system at work...

Systems used where I studied and worked (2)

Papineau (527159) | more than 12 years ago | (#3511580)

First, schools:
High-school: Only XTs. No network. No login. Only bootdisks.
College: Student number. The email was the same.
University:
Department is Initial+Lastname (eg, jdoe). The duplicates are labeled jdoe, jdoe1, etc.
Faculty is 3FirstLettersOfLastName+Initial+Number, as in doej01.
Lastly, the University introduced a campus-wide login. I think it involves the year in which you began to attend classes here, along with a variation of your name and a sequential number (along jdoe9901).
There's also a campus-wide email system, different from the previous, where the username is your student number, but you can choose an alias which is a variation of your name: jd1, johndoe, jdoe, doej, john.doe and maybe others.

Work places:
The first one was the same thing as my faculty (jdoe01).
The second one had the employee number to login, but you also had an alias for email based on your name. The translation from name -> alias wasn't constant, though, so you had to lookup in the employee list (~50000) to know the email address of somebody.
Lastly, another one was mostly only the firstname. The company wasn't very big (~250), and it wasn't uniform at all. I heard that it changed since I left, with emails being firstname.lastname, but I don't know about the usernames.

And of course, my own systems:
There's my normal user (firstname), and root. Although I'll probably change root for something meaner.

Those are my experiences with usernames. Hope it can help somebody find their best choice.

Let User Decide (2)

4of12 (97621) | more than 12 years ago | (#3511585)

My company's scheme produces really sucky names.

I'd like to have the flexibility to pick my own username along the lines of short first name handles ("gus"), or 3 letter acronyms ("rtm"). But, no, we get a standardized way of butchering things into mostly unique but guaranteed unpronounceable gibberish.

It would be good if there was a web based client that allowed people to pick any unused, inoffensive name.

We have web based interfaces for helping to pick new passwords - why not usernames?

Finally, as networked directory services become more commonplace (LDAP, etc.) the username seems to have diminished importance to the position it had many years ago. Not such a big deal.

Re:Let User Decide (1)

ThinkingGuy (551764) | more than 12 years ago | (#3511868)

I've been supporting the idea of letting people choose their own usernames for a while now, after working in a large company that uses the 1st initial - lastname convention.
My main reasons:
1) People often change their names, especially women who get married or divorced. A user-chosen handle shouldn't ever have to be changed
2) Usernames based on real names usually end up with collisions. If you have 4 people named S. Johnson, you can have sjohnson1, sjohnson2, etc. But then when the first S. Johnson leaves the organization, sjohnson3 will want to know why she can't have her username changed to "just sjohnson"
3) Instant messaging and certAin OnLine services where people get to choose "creative" handles, have become so commonplace that carrying over the convention to a business or academic environment shouldn't be too difficult, even to those ouside geek culture.

Re:Let User Decide (1)

Drishmung (458368) | more than 12 years ago | (#3522078)

After long debate, that was what we decided at a previous employer of mine.

People change their names, for many reasons, none of which are the employer's business. Marriage, divorce. etc. In some circumstances, someone's previous name may become deeply offensive or distressing to them.

Some people are only ever known by their nicknames.

Other examples abound.

Names are important to people. The employer has no business is saying (effectively) "We're going to call you Bruce!" (Cue Monty Python reference here).

We did however have a few extra rules that had to be applied.

  1. First come, first served. No exceptions. If your preferred username is taken, choose another.
  2. No re-use of the username. Ever.

Also important to understand that this was the username, which is not the same as the email address.

For email, we had another set of rules.

  1. Right to have the email address 'unlisted' (not appear in the LDAP directory)
  2. Default assigned name was firstname.lastname, disambiguated with initials if necessary.
  3. Multiple email addresses were permitted (one was marked 'primary'). Users could choose multiple aliases if required.
  4. Again, first come, first served.
  5. No reuse, ever

CDC (5, Interesting)

rubinson (207525) | more than 12 years ago | (#3511596)

My girlfriend used to work for the CDC in Atlanta; my stepmother still does. They use one of the more bizarre naming conventions that I've seen: inital letter of first name, random middle initial, initial letter of last name, increment number.

This works fairly well for my stepmother who doesn't have a middle name. She became "dxh4 at cdc.gov." For years I thought that they gave her an "x" because she doesn't have a middle name.

I learned differently when my girlfriend -- Nisha Bipin Gandhi -- became a nag. Specifically, "nag3 at cdc.gov." Needless to say, she got a lot of teasing for that - especially from me.

They've recently started assigning more reasonable email address based upon initial letter of first name and last name but all of the old user names are still floating around.

One way that worked (2, Insightful)

gi-tux (309771) | more than 12 years ago | (#3511632)

I used to work at a large medical institution. We had a large population of female employees, and as such had employees undergoing name changes quite frequently (marriage and divorice, etc). To overcome this issue we quit using last names in the username totally. We used the first 5 characters of the first name and a 3 digit sequence number.
This carries with it the problems of remembering your username, but with everyone wanting to keep their username matching their current last name, we were changing about 20 usernames a week on about 30 systems.

Odd Scheme. (1)

Hank Reardon (534417) | more than 12 years ago | (#3511668)

I worked for a company who used a 5-2 scheme.

The first five letters of your last name followed by the first two of the first name was your login.

A guy who used to work there by the name of Les Hedrington had "hedrile" as his.

It was confusing, at first, but they had a suprisingly low number of duplicates.

let the employees choose. (1)

Zurk (37028) | more than 12 years ago | (#3511711)

whatever happenned to letting employees make decisions ?
just give em a choice of first letter of first name+MI+first letter of surname or let them choose on their own.
a 3 letter email+login is dead simple to remember. add numbers if required.

Just... (5, Funny)

Tom7 (102298) | more than 12 years ago | (#3511768)

Just use a 128-bit hash of the person. That way, user ids are unique, easy to calculate, but hard to guess.

Re:Just... (1)

schon (31600) | more than 12 years ago | (#3512298)

Just use a 128-bit hash of the person. That way, user ids are unique, easy to calculate, but hard to guess.

Not to mention remember :o)

Re:Just... (2, Funny)

Trinn (523103) | more than 12 years ago | (#3512947)

What...you mean you can't do 128-bit hashing in your head? What kind of geek are you???

Re:Just... (3, Funny)

schon (31600) | more than 12 years ago | (#3513121)

you mean you can't do 128-bit hashing in your head? What kind of geek are you?

The married kind :o)

Any system has to be flexible (4, Insightful)

sclatter (65697) | more than 12 years ago | (#3511899)

As far as using full names goes, the Sendmail FAQ [sendmail.org] explains sufficiently well why that's a bad idea. See Q3.5.

Especially in a corporate environment, people expect to have reasonable looking user names. Most folks won't put up with being sfc123; it just is not professional.

This means that while it's a good idea to have guidelines, you can't be too much of a stickler. If a sales guy was jschmoe at his last three jobs, and all his contacts know his email as jschmoe, then it's really best if he can continue to be jschmoe. Forcing him to be joes341 instead doesn't make anyone happy.

Collisions are certainly an issue, but that's not the only problem. For example, a popular default choice might be first initial last name. Using that standard at one job we ended up with a "pharter" (say it out loud), and at another job there would have been an "aryan". These things just don't work.

Ideally I like to allow users their choice of login. I encourage them to select one of first initial last name, first name last initial, or initials. Every now and then someone will come along and want a login like "coolguy" or something completely random. Depending on the company culture and whether the user is "customer facing" I might be lenient.

I've worked in organizations up to a few thousand users and this system has worked fine. In a truly huge organization you'd end up having user names that look like AOL, though. Certainly in an educational environment I imagine a more authoritarian system would be warranted.

Re:Any system has to be flexible (2)

dubl-u (51156) | more than 12 years ago | (#3512400)

I've worked in organizations up to a few thousand users and this system has worked fine. In a truly huge organization you'd end up having user names that look like AOL, though. Certainly in an educational environment I imagine a more authoritarian system would be warranted.

I don't buy it. The University of Michigan [umich.edu] allows everybody to pick whatever they like. Their system, known as uniqname [umich.edu] , has been running for at least a decade, and they must manage on the order of 75,000 users with a turnover of at least 10,000 per year.

The main reason to go with the hideous names that many places hand out is because it's slightly easier for the sysadmins, no matter that if it's a royal pain for the users.

I laugh especially hard at places that try to encode all sorts of information in the username, especially things like status (faculty, staff, student), school (undergrad or grad, engineering or liberal arts), or year of graduation. That may have been handy back before the invention of the network-connected database. But stuff like that changes all the time; making them change their ID seems much dumber than just looking up their status when you really need to know it.

Things to consider (1)

Alpha27 (211269) | more than 12 years ago | (#3511917)

If you want a system that is easy for all, then using a convention on the name of the user will be helpful. You don't want to create double-duty for the admins, and a scheme where the forgetful users ask the same question about an obstructed convention.

- firstname.[middle-int.]lastname
- FirstletterLastname[year_Of_graduation]
- lastname.firstname

But if you're concerned about security, then you need to think about something else. Anytime you have a converntion system, there is always a possibility of security risk. Look at all the credit card companies, who use their algorithms to make unique numbers, that we can download code off the net to test, and create our own 'fake' numbers. So once you have a convention, there is always the potential for security risk.

If you want to ensure security, you might want to look into something like SecureID, or using time based logins, or some other stuff.

Christ (4, Funny)

yamla (136560) | more than 12 years ago | (#3512095)

My first name is Christopher but I normally go by 'Chris'. And my last name begins with the letter, 'T'. At both my current job and my previous job, that worked out to an email address of 'Christ'.

I am rather amused by this.

Re:Christ (2)

Tuzanor (125152) | more than 12 years ago | (#3512426)

I too had a similar experieance, but my last name begins with an H. what my dept did was assign first minus one letter as neccessary (fucked up, i know).
I, too, got Christ.

Just don't change the old system (2)

bluGill (862) | more than 12 years ago | (#3512549)

My company decided that my login wasn't good enough (set by an old standard), and changed it to fit the new standard. Unix handle it okay, but it took weeks to synchronize all the databases I use (bug reporting system, system outages reports, etc). There are still some databases that I cannot access, but I don't use them anymore and I'm tired of getting things changed. They can deal with the disk space they are taking up.

Just a suggestion (2)

Diamon (13013) | more than 12 years ago | (#3512663)

I haven't seen anyone use this yet but how about first init, last name, last 4 of phone number.

It makes it easy to remember, real hard to come up with duplicates and avoids the problems of Jeffrey Smith who "everyone calls" Jeff. As well as John T Smith and John A Smith which normally become the exceptions to the rule.

But there are still some things to take into consideration. The company I work for (or more specifically worked for before we got bought) had an employee named Pamel Enis. This is where their first init, last name convention went out the window.

Re:Just a suggestion (0)

Anonymous Coward | more than 12 years ago | (#3513398)

The only problem I see with the phone number is, do you really want to give that out as an e-mail address? Personally, I'd rather give out my SSN.

jsmith1234@company.com. Company.com has 555 as a dialing prefix, so John Smith's phone number could be easily derived as 555-1234 with only a few assumptions.

Re:Just a suggestion (1)

Mr. Foogle (253554) | more than 12 years ago | (#3519828)

That's great until your phone number changes. I've had >this number now for two years, but I've been places where I moved every friggn' month or so and my phone didn't move - I just got the one in my new cube.

Re:Just a suggestion (2)

Diamon (13013) | more than 12 years ago | (#3526992)

In that case you set up a forwarder.

But to be honest, any company where you have legitmate outside customer or vendor contact shouldn't be bouncing you from phone number to phone number anyhow. It's a 10 second switch on most PBX's to make your phone number follow you, if your company can't handle that I wouldn't expect them to handle your e-mail address any better.

In my university (Techion, IIT) (2)

epsalon (518482) | more than 12 years ago | (#3512909)

The user names for students used to all start with an 's' and then 7 distincitve digits of the ID number (we have a 9-digit ID number here in Israel, first digit is always zero, last digit is checksum). Very secure scheme indeed.
However, a few years ago the system changed to allow users to pick any login of up to 8 letters starting with 's' when they open their account. They were smart enough to disallow account names starting with 'sys' (I know, I tried ;). Still, we have accounts such as 'sex', 'sexyguy', 'someone', 'site', and my personal favorite: 'sisadmin'.
Luckily, grad students are not required to start their login with an 's'.

My Suggestion (2)

dasunt (249686) | more than 12 years ago | (#3513057)

Assume that the person is John Doe, and their extension is #1234. Then you'd take first initial, last initial, and the extension - jd1234. Should be basically unique, and if you know the person's name and phone number, its easy to guess the email address.

Re:My Suggestion (1)

dismayed (76286) | more than 12 years ago | (#3514655)

Phone numbers change.

Extentions change.

Sorry.

-- wes

Re:My Suggestion (0)

Anonymous Coward | more than 12 years ago | (#3521246)

When I worked as a contractor at Universal Online, my phone number changed three times. It cost something like $200 to move a phone because of the unions, so it was easier to just use whatever phone happened to be sitting at the new desk. I would then have to change my e-mail 3 times, or have a meaningless number that people would no longer be able to easily remember (that knew my phone number). I recommend against the use of phone numbers or other easily changed things in e-mail addresses.

SSNs! (4, Funny)

anthony_dipierro (543308) | more than 12 years ago | (#3513130)

I like using social security numbers. Everyone in the world has them and they're 100% unique. Plus you can use the fact that someone knows their SSN to prove that they are who they say they are.

Re:SSNs! (NOT) (1)

Roadmaster (96317) | more than 12 years ago | (#3513502)

Wrong assumption. I don't have one. Also, while it's hard to know someone else's number, it's not 100% impossible.

Maybe your concept of "the world" means "USA" or something like that?

Re:SSNs! (NOT) (1)

anthony_dipierro (543308) | more than 12 years ago | (#3513551)

Maybe your concept of "the world" means "USA" or something like that?

No, I was being sarcastic.

Re:SSNs! (2)

waldeaux (109942) | more than 12 years ago | (#3525017)

No joke - my both my undergrad and grad school DID THIS, and refused to budge when people complained about it.

an automated solution (2)

dutky (20510) | more than 12 years ago | (#3513212)

you could easily have a username generator that could either keep track of previously generated usernames (an ungainly solution) or construct the username based on some other key (employee ID, for example). the username segments would be selected from a dictionary constructed for the purpose (say a list of canimal and plant names).

My solution might look something like this (assuming that the employee ID is 6 digits long):

  1. construct nine lists of plant and animal names, 10 names in each list, total of 90 names lists
  2. select one plant list and one animal list using the first two digits of the ID
  3. select a plant name using digit 3 of the ID
  4. select an animal name using digit 4 of the ID
  5. digit 5 is used directly in the username
  6. use the final digit of the ID to determine how to combine the two names and the digit to form the username.
The resulting usernames (looking something like rose5dog or 3cowdaisy ) will be reasonably memorable, guaranteed unique and moderately hard to guess by a dictionary attack.

If security is not a concern, however, I would go for the path of least user anoyance and let user's select their names with some feedback from the admin staff (in case the name is already in use or is, somehow, obviously offensive). I don't see any good reason why I shouldn't be able to have dutky or, at worst, jsdutky as my username (I can guarentee that I am the only J.S.Dutky on the planet, so what's the problem?)

Apparently real e-mail addresses (5, Funny)

GregWebb (26123) | more than 12 years ago | (#3513482)

This was doing the rounds a while back. Whether it's at all true I don't know but hey, it's funny ;-)

--------------

Many colleges and business's tend to strip the last name down to 6 characters and add the first and last initial to either the beginning or end
to make up an e-mail address. For example, Mary L. Ferguson = mlfergus or fergusml. They are just now
beginning to realize the problems that may happen when you have a large and diverse pool of people to choose from. Add to that a large database of
company/college Acronyms and you have some very funny addresses. Probably not funny to the individual involved, however:

TOP TEN Actual E-mail Addresses
10. Helen Thomas Eatons (Duke University) - eatonsht (at) dku.edu
9. Mary Ellen Dickinson (Indiana University of Pennsylvania) - dickinme (at) iup.edu
8. Francis Kevin Kissinger (Las Verdes University) - kissinfk (at) lvu.edu
7. Amanda Sue Pickering (Purdue University) - aspicker (at) pu.edu
6. Ida Beatrice Ballinger (Ball State University) - ibballin (at) bsu.edu
5. Bradley Thomas Kissering (Brady Electrical, Northern Division, Overton
Canada) - btkisser (at) bendover.com
4. Isabelle Haydon Adcock (Toys "R" Us) - ihadcock (at) tru.com
3. Martha Elizibeth Cummins (Fresno University) - cumminme (at) fu.edu
2. George David Blowmer (Drop Front Drawers & Cabinets Inc.) - blowmegd (at) dropdrawers.com

..but at No 1, it had to be...

1. Barbara Joan Beeranger (Myplace Home Decorating) - beeranbj (at) myplace.com

Re:Apparently real e-mail addresses (0)

Anonymous Coward | more than 12 years ago | (#3515731)

Kan Wang, UBS Warburg (6 letters from surname, 2 from given name) - wangka

Re:Apparently real e-mail addresses (1)

GregWebb (26123) | more than 12 years ago | (#3520107)

(sorry, meant to post this last night, tried and got told to slow down, cowboy!)

Why doesn't Slash warn me that I'd moderated in this thread before posting? I'm well aware of the moderation rules, but had completely forgotten that I'd modded the thread. The only notification I was given was text coming on screen stating that mods were being undone AS I POSTED.

Really, would be helpful if I was warned by comments.pl that I'd already modded...

Good and easy - First Name Last Name (0)

Anonymous Coward | more than 12 years ago | (#3516306)

Only stupid techs who don't see the real world too often think that first initial 6 letter of last name is any good.

It is difficult for users to remember, and to cryptic for 1st level support to help with. This is a 3rd level problem that always ends up in the hands of the 2nd level tech.

You want easy?

Just use the names that their mother's gave them.

First Name Last Name - like "John Doe" instead of "jdoe" - because what if Jane worked for you?

Sure, when user names are easy to remember, it does pose a threat - both from SPAM and from unauthorized access. That's why you have to enforce a password policy. Use tools like l0phtcrack to ensure that user's passwords are difficult to hit with dictionary attacks.

It's a common problem. (1)

Telecommando (513768) | more than 12 years ago | (#3517550)

Unfortunatly there's no easy solution.
Where I work we went through a series of mergers and takeovers a few years ago and the naming conventions got a little messy.

Originally it was set up as "last name (up to 8 chars), first initial, middle initial"; for an 10 character total length. The only problem we had was with 2 employees with long names that started out similar. I don't remember their names but one ended in "-ski" and the other ended with "-vich." Same initials, too.

After several mergers it was decided to combine the seperate email systems and go to a "first initial, middle initial, last name" (up to 12 chars). And the problems began.

First was the "Smith Problem." We had 4 Dave Smiths, all with middle initial "L" and 3 of them with the middle name of "Lee." Fortunatly one had the nickname of "Sparky" and so was SPARKYSMITH and one agreed to be known as DLSMITHUK, as he was based in the UK. The other 2 were listed as DLSMITH and DLOUISSMITH. We also had several other Smith's whose initials were the same.

This didn't just affect email, it also affected the phone directories, as management chose to have one big directory for the whole company instead of dividing it down into regions and operational areas and listing everyone by just their first and last names.

So we now have many more duplicates: 2 Dennis Millers (with the same middle name), 4 Brenda Petersens, 3 Linda Petersens, 2 Bob Pattersons, 2 Cathy Andersons (and one Kathy Anderson, very confusing), 4 Richard Andersons, 3 Mark Johnsons (and 2 of them are Mark Robert Johnson), 3 Steve Thompsons, 3 James Wilsons, 2 Alan Wrights... and those are just the duplicates I deal with on a regular basis. There are many more. It's not uncommon to have someone call the wrong person on the phone or send an email to the wrong person. Some users in frustration just send mail to ALL the users with similar names and let the recipients sort it out.

It was suggested last year we go to using the employee number for email but the execs balked at that idea. Probably because they can't remember theirs.

For now when we add a new employee whose name is similar to an existing employee we just add a number to the end of the user name, "KLJones2".

So far it's working, for email at least. Phone directory is still a mess, though.

Don't Use... (1)

mumstakovich (521605) | more than 12 years ago | (#3521826)

I can say that Georgia Tech's usernaming scheme pretty much sucks. It works like this:

gt<Letter assigned to the year you entered Tech. For instance, you could have entered during year 'e' or year 'g' recently><three random numbers><random letter>. Believe me, telling people that you're email address is gte172u got a lot of strange looks amongst my non-Tech friends. Of course, my Tech friends just nod, knowingly. :)

NIS restrictions (1)

ansonyumo (210802) | more than 12 years ago | (#3522253)

I have worked at six companies, ranging from 3 - 250 employees. We have all used first initial, last name without many problems. Obviously, you have to get a little creative to resolve collisions. Also, the first ten or so people at a startup typically horn into getting their first names as logins.

The caveat is that NIS has a maximum username length of 8 characters, which sucks. If you are using NIS, keep this in mind.

Re:NIS restrictions (0)

Anonymous Coward | more than 12 years ago | (#3522533)

what is NIS?

Re:NIS restrictions (1)

WeedMonkey (323943) | more than 12 years ago | (#3524130)

google [google.com]

HTH, HAND.

university (1)

dirvish (574948) | more than 12 years ago | (#3522307)

At the university I work at we use first initial then last name. If there are multiple people with that same first initial, last name they start tacking on numbers to the end. I haven't heard of this being a security problem even though it very predictable.

user choice (1)

spectatorion (209877) | more than 12 years ago | (#3522542)

i like user choice. i would have picked my last name, or my first intial at last name, but instead i got my initials followed by three increment digits. it would be quite nice to be able to choose and just giving choice based on first come-first serve. in a university with over 40,000 people, i would still get first initial + middle initial + last name, although we do have a first-come-first serve email aliasing system, so for example the first smith to register gets smith@, there are also firstname.lastname@, firstinitial.lastname@, etc. so the first john thomas smith can get mail at smith, j.smith, john.smith, j.t.smith, john.t.smith, and probably many otherthings. i have decided that i will now put firstinitial.middleinitial.lastname on my resume b/c it looks nicer and easier. the even more annoying things is that people who work as computer admins get whatevertheywant@, although they disabled that as of last year, so although i just got hired, i still have to settle for my initials and random digits as my login, although i can now use a much nicer email alias. oh well...it would probably be hard to transition with so many users in place already. i will bring it up to my boss, though...

The joys of NDS.. (1)

Qube (17569) | more than 12 years ago | (#3525744)

Both at uni and my current employer, it's just firstnamelastname. No length limits, no remembering combinations of character limits, and no collisions so far as you can have the same username in different OUs and it couldn't care less. Chances of having two people with the same name in the same office (each 100 users max) is exceedingly low. At uni they used an OU per entry year per department.

Find it hard to believe that people still run systems with 8-character limits on usernames, yet use the micros~1 gag :)
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...