Home page logo
/

basics logo Security Basics mailing list archives

Epithet
From: Steve.Kirby () sealedair com
Date: Tue, 2 Dec 2003 15:36:42 +1000





To the list:

We are currently developing a meta-directory project. One data element that
we may now be able to re-define, is that of a User's Identification (UID).

There are many 'schools of thought' about what should, or should not make
up a UID. Do you include all or part of a person's name, do you use
initials, what about an employee number (and what if they're a contractor
without one)? The permutations are endless.

Having worked for many years in administration of systems,  I tend to think
you should be able to derive who the user is - so you can ring them....
just as you log them off!  But is it necessary to identify the user easily?
Could a seemingly nonsensical code be used to preserve anonymity? Is a
jumbled UID a better deterrent against someone trying to forge an identity
into our systems because they wouldn't know how it was made up or verified?

The questions are almost endless, but I would be very interested to hear
from others about their experiences or thoughts. No names, no packdrills,
but examples of how UIDs are made up or UIDs you've come across would be
gratefully accepted.

Regards,

Stavros

or should that be GX78F2792?


---------------------------------------------------------------------------
----------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault