Home page logo
/

basics logo Security Basics mailing list archives

Re: Epithet
From: Alexander Lukyanenko <sashman () ua fm>
Date: Tue, 2 Dec 2003 21:53:02 +0200

Hello Steve,
SKsc> We are currently developing a meta-directory project. One data element that
SKsc> we may now be able to re-define, is that of a User's Identification (UID).
That depends on many things, the first that comes to my mind, is where
would the UID be stored on the client side.
If the UID will be in a smart-card, USB pen drive or such, it would be
OK to use some kind of jumbled data, or a complete nonsense. For
instance, a GUID like {6CD03F67-3507-4cce-8355-CBF5158A96DE} will do,
or you can take a MD5 or SHA1 hash of, say, full user name, the UNIX
time  of account creation and some random bytes. That would be *very*
hard to forge and the UID will seem gibberish to an attacker.
BUT, what if the users will be forced to memorize their long-and-scary UID
along with a password (especially, if passwd's strength is enforced)?
In this case, I personally recommend (from the users' point of view)
to use first characters of user's full name plus some number (random
or corresponding to the number of users with same initials, e.g. JRT1,
JRT2 etc).

-- 
Best regards,
* * * * * * * * * * * * * * *
* Alexander V. Lukyanenko   *
* ma1lt0: sashman....ua.fm  *
* ICQ#  : 86195208          *
* Phone : +380 44 458 07 23 *
* OpenPGP key ID: 75EC057C  *
* NIC   : SASH4-UANIC       *
* * * * * * * * * * * * * * *

Attachment: _bin
Description:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]