067 - 7.4 Standards for Usernames


Oracle Security
By William Heney, Marlene Theriault
Table of Contents
Chapter 7.  Developing a Database Security Plan

7.4 Standards for Usernames

There are several different types of standards for usernames. What username standards will you enforce at your site?

7.4.1 Advantages and Disadvantages

Let's consider a uniform approach for usernames across systems within a company. Such an approach has several benefits:

  • It is easier to administer than randomly generated usernames or usernames selected by the user .

  • It ensures that the username will be the same for each operating system, each database, each application, and for email interaction.

  • It can require the inclusion of specific characters or numbers within a username, so a standard makes it easier to ensure that those requirements are always met.

A possible disadvantage to having a username standard is that anyone who has been associated with the company may have enough information to be able to determine any employee's username easily.

7.4.2 Suggested Username Standards

In the case where a username is constructed using part or all of a person's actual name, the username is easy to remember; you only need to know what the standard is to determine what the composition of the username is or will be. An example of a standard using parts of a person's name as a username is:

  • The first three letters of the person's first name

  • Plus the first letter of the middle name

  • Plus the first four letters of the last name

  • Plus a designating number at the end to fulfill the requirement of some operating systems to include both alphabetic and numeric or special characters in a username

The name Mary Lou Janes would be translated to the username marljane1 .

Following this standard would make all usernames a maximum of nine characters long. You could go one step further and give special significance to the number chosen . The number "1" could be used to indicate that this is the first employee to have a particular username. If more than one employee has the same first and last name, the first employee would receive the number "1," while the second employee would receive the number "2."

If more than one employee has the same first, middle, and last names , the standard would need to include exception handling. The final username for an employee named Ralph Kenmore Scott might be ralkscot1 . A second employee named Ralph Kenneth Scott would end up with the username ralkscot2 . A third employee whose name is Raldania Karen Scott would end up ralkscot3 . Since this is a potential problem with username standards, we recommend including a further identification mechanism like a comment line designating which username has been assigned to which user. The publication of usernames within a company private phone book helps to distinguish who has which username.

In the case where a user's actual name is shorter than three letters for a first name or last name or where no middle name is present, the username would be shorter that the nine alphanumeric characters normally used. The standard would outline possible exceptions to be allowed. Thus, Ed Bin (no middle initial) would receive the username edbin1 .

You might also want to consider having different standards for usernames for different types of accounts. Perhaps you could have one or more of the following types of standard formats:

  • User accounts that do not own objects

  • Accounts that do own objects (schema accounts)

  • Accounts that belong to DBAs and/or security managers


Oracle Security
Oracle Security Handbook : Implement a Sound Security Plan in Your Oracle Environment
ISBN: 0072133252
EAN: 2147483647
Year: 1998
Pages: 154

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net