Hello,
How can I suggest a list of alternate usernames in case user has selected an invalid or existing username?
The suggestions must be somewhat related. Do I need to use a dictionary of possible usernames?
views:
35answers:
3
+1
A:
It depends entirely on what you consider "related". It's hard to define such a meaning for usernames, as they often aren't normal English words. You might wish to create a unique username by appending a random stream of numbers, or by changing some of the letters to numbers ('e' to '3' etc). If you will update your question with what you mean by 'relevant' I will try and tackle that specific issue.
Stephen
2010-07-28 10:45:57
or should I include an underscore/dot/hyphen between the words, append some random numbers and present to user?
Jagira
2010-07-28 10:50:24
Exactly - these are *all* valid options. It's entirely up to you. I would avoid what Visage points out, although I disagree that it's *that* much of a security risk, but any potential risk should be avoided.
Stephen
2010-07-28 10:53:39
+1
A:
Bad idea. Giving away related usernames allows a skillful attacker to deduce which usernames are in use.
IE if I try and register 'RandomUser' and the system suggests using on of:
RandomUser1
RandomUser2
RandomUser3
RandomUser5
Then I can reasonably surmise that RandomUser4 is a valid username.
Visage
2010-07-28 10:50:32
OK, this maybe a bad idea, or a good one, it depends on your system surely?They could deduce that any name is a valid username by trying to register it.
Kevin Sedgley
2010-07-28 11:07:51
Indeed. The actual username is **very** unlikely to be your weak spot. However, every bit of security counts, so I would agree that it's a bad idea to do continous numbers... which is why I'd just use a random number instead.
Stephen
2010-07-28 11:13:22
suppose a hacker knows the name of the account holder and he wants to guess his username... while trying through various usernames he might find other usernames that are in use or he might find the list of available usernames [thereby checking them off his list of probable usernames]
Jagira
2010-07-28 11:27:42
But what is he then using the usernames for? Sure, if your users are using unsecure passwords then this might be a fairly big security risk, but as long as you force them to use proper alphanumeric+symbols passwords, it doesn't really matter if the attacker gathers information about usernames. Of course, like I said in my comment, it's still a good idea to avoid this approach - but there is nothing wrong with the approach I suggest below or with your addition in the comments.
Stephen
2010-07-28 12:03:52
Usernames alone are of no use, but getting them is usually the first step. Anyway the answer looks like an overkill or an extremely paranoid approach...
Jagira
2010-07-28 16:26:44
A:
Look a this:
http://www.onesoft.dk/post/2007/07/ASPNET-AJAX-username-availability-with-suggestions.aspx
Its build using Ajax & JSON. I'm sure you will be able to adapt it to your technology.
Pierre 303
2010-07-28 10:59:42