Unix userid conventions

Barry Shein bzs at bu-cs.bu.EDU
Sat Mar 7 11:48:42 AEST 1987


What are the arguments that non-mnemonic userid's were more secure?
I've never heard that. Is it because it gives a system hacker
something easier to remember to bash passwords at? User id names are
almost always readily available from the (print out) trash cans, but
perhaps it gives a somewhat easier target to guess at from the outside
(of course, they're only gonna bash at 'root' anyhow...)

I always thought the motivation for large systems to use those
automatically generated userids was simply to make their life easier.
On a large system it's hard to come up with a unique name and
collisions are likely so you can go back and forth with a user for a
while ("whaddya want?" "bob" "nope, bob's taken" "uh, bobm" "no, bobm
is taken" etc.) This could clog a bureaucracy. Are you sure you're not
dealing with some sort of cargo cult? Does anyone remember why they
started that automatic userid business?

We solved that on the student systems by writing a little program
which runs dedicated at a terminal and lets you fill out a "form",
among the questions is "what user name do you want?", it then checks
if it's unique immediately and, if it is, reserves it immediately
otherwise asks again. The entries are batched together and checked
over later for inclusion in the passwd file (both the "batch" file and
passwd file are checked for exclusivity.) No big deal, grep goes a
long way here (and a lock.)

You could argue back that if they insist on consistent naming then
once someone has one userid they have it for all systems (and could
try the same password, not that wild a guess if they have the
password.) It's dumb, but what the heck, it throws it back in their
court.

	-Barry Shein, Boston University



More information about the Comp.unix.wizards mailing list