LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

PostgreSQL 9.3 beta: Federated databases and more

LWN.net Weekly Edition for May 9, 2013

(Nearly) full tickless operation in 3.10

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

usernames

usernames

Posted Oct 29, 2012 12:13 UTC (Mon) by tialaramex (subscriber, #21167)
In reply to: Sunday's kernel releases by ledow
Parent article: Sunday's kernel releases

Let users pick their own username, forbid already existing and recently deleted users, laugh at anybody foolish enough to insist on their forename as they are constantly mistaken for somebody else with the same forename.

Since they are picking the username, they are solely responsible for its perceived meaning if any. If you're dealing with kids I suppose you might thus want to have oversight/ veto.

If absolutely necessary also forbid usernames which conflict with system identifiers, but prefer where possible to simply separate the two namespaces altogether so that it's impossible for either the system or the users to confuse a person with a machine, or an ordinary user with an administrator or other higher power.

While working at a university I selected the username "ruth" (a now rare word meaning roughly "remorse" and the source of the still common word "ruthless") and the associated email address was assigned to me automatically. Over the years I discovered that humans who can't use their email client properly are about as common as automatic systems that are too dumb to know the difference between a username and a person's real name. I received confidential correspondence, invitations, enquiries, bounces, and numerous other emails that should have been sent to (and in some cases, explicitly were addressed to) members of staff with the forename "Ruth". Nobody showed any interest in either fixing the automated systems or retraining the staff, but they did eventually institute a system in which they gave everybody an email address of the form Firstname.Lastname@University. This system had all the flaws you have mentioned above, it fixed nothing, but most likely it made some barely computer literate new VC feel that they could email anybody by guessing at the correct address and then probably blaming "those IT people" when their confidential union settlement proposal was mistakenly sent to a janitor or whatever.

(Log in to post comments)

usernames

Posted Oct 29, 2012 13:19 UTC (Mon) by sorpigal (subscriber, #36106) [Link]

Everyone has this problem and the solution is simple: Guarantee uniqueness by assigning every person a unique number. The problems with this are that people feel numbers to be impersonal (as if most of these schemes are not!) and that numbers can be harder to remember or distinguish from other numbers. Attempts to avoid this problem with clever schemes will, as you point out, lead to trouble[0].

There are no good answers, but here's a bad one that I like: assign each person a name-based username and then *always append a numeric suffix*, so that each name is e.g. firstname.lastname.123@host. Of course you have to deal with the fact that nobody really knows what a name is[1], allow for exceptions and never hard-code this assumption in to any software.

Perhaps the best way to name people is to use something like DNS. A unique number that identifies plus a global name-to-number resolution system, which is non-authoritative and permitted to change over time, geography, etc.. Of course, then you'd need to know he point in time and locality to know how to resolve the name... which is pretty much where we are now.

[0]: http://thedailywtf.com/Articles/The-Automated-Curse-Gener...
[1]: http://www.kalzumeus.com/2010/06/17/falsehoods-programmer...

usernames

Posted Oct 29, 2012 13:31 UTC (Mon) by ledow (guest, #11753) [Link]

Now imagine you have a class of 30 6-to-11-year-olds, all with unique numbers, all waiting to log into the ICT Suite. It's their first lesson, you're the teacher... see how much you get done.

You can't even GUESS at their username, because it's numeric. They won't remember it, even months later. You will have to print little cards with their usernames on, which they will be unable to read until years after they've started (BY LAW!) using computers in a network environment so the teacher has to go around one-by-one logging them in.

Not saying it's insurmountable (it's not - for a start, I push for dongle-logins because it's just easier even if they lose them in the first five minutes), but it's a problem.

Hence why humans memorise alphabetised mnemonics (i.e. a username based on their name) and let the computer convert it to a unique identifier (i.e. user-SID or equivalent).

The only place that gives me a numeric username is the UK's Government Gateway (which also needs several highly-secure passwords and security procedures to access because it lets you do everything from file your taxes to renew your driving licence). And that's been phased out because they get so much hassle with people forgetting their logins and they're planning to tie it into email addresses or social network accounts or similar.

We use usernames for a reason. If I wanted to use numbers, I'd just allocate them a login-dongle of some kind. Good luck tracking down user123127854738's history on all your systems, even if you *do* implement logging and searching. And username auditing (is this account still in use?), and lots of other boring admin tasks which are solved by using some variation of real name even despite the inherent namespace problem.

usernames

Posted Oct 29, 2012 18:01 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

>You can't even GUESS at their username, because it's numeric

Tattoo it on their foreheads. Make it a barcode for easy machine readability.

Duh, that one was easy.

usernames

Posted Oct 29, 2012 13:21 UTC (Mon) by ledow (guest, #11753) [Link]

Erm... Ruth is a very common English first name (and slightly less common surname).

My boss at a previous school was called Ruth, for instance. I know someone in American called Ruth (though she goes by a nickname because Ruth is seen as old-fashioned). And then there's Babe Ruth and other famous "Ruth"s, first or last name. It wouldn't be short-sighted to assume it was a person's name at all. And that's exactly my point. Any system of naming will run into a name from some other place sooner or later.

usernames

Posted Oct 30, 2012 2:51 UTC (Tue) by tialaramex (subscriber, #21167) [Link]

My goodness.

You somehow thought that while I was aware of the existence of a fairly obscure English word, I hadn't noticed it's also a popular name?

I chose the username purposefully. The account which it corresponded to was not of great importance to me (I had other accounts with which to get real work done), so its value as a lesson and example more than compensated for the trouble it caused.

The argument that "it wouldn't be short-sighted to assume that it was a person's name" mistakes the problem. It /would/ be short-sighted to assume that blindly addressing email to "ruth" in an organisation of several thousand people will have any particular effect at all, still less that it will ensure your confidential missive is received by whichever person named "Ruth" you happened to be thinking of when composing it. It would also be short-sighted to create a system which "helpfully" redirects email sent to, say, "Ruth.Smith@University" to a user named ruth on the basis that the email address didn't match anything and maybe this "ruth" account will know what to do with it. It would be even more short-sighted to invent a system which attempts to match named employees to accounts based on the similarity of the username when a perfectly good system for exactly matching corresponding accounts by payroll number already exists. And still more short sighted to write software which treats the human readable part of an email addresss (e.g. the Ruth in "Ruth Stevens" <stevensr@University>) as a username to which the mail should be delivered. And yet all this short-sightedness and more happened.

usernames

Posted Oct 30, 2012 10:32 UTC (Tue) by jezuch (subscriber, #52988) [Link]

> Erm... Ruth is a very common English first name

Slight correction: it's common among English-speaking peoples, but the name apparently is Semitic.

usernames

Posted Oct 29, 2012 14:51 UTC (Mon) by deater (subscriber, #11746) [Link]

my late godfather's surname was "root". I doubt he ever had an account on a UNIX machine, but I've always wondered what kind of troubles he could have caused if he did.

usernames

Posted Oct 29, 2012 18:03 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link]

Is his first name Enoch, by any chance?

(for those missing the context, read Neal Stephenson's "Cryptonomicon")

usernames

Posted Oct 30, 2012 9:29 UTC (Tue) by ghane (subscriber, #1805) [Link]

"Late godfather". Quite sure we are not talking of Enoch here.

--
Sanjeev

usernames

Posted Nov 1, 2012 16:44 UTC (Thu) by daglwn (subscriber, #65432) [Link]

A friend once set up a university e-mail list called "hi."

Much entertainment ensued.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds