What user names should I disallow?

Question

I am working on user registration for a web app, and was just started thinking that I wouldn't want some clever/evil person to come along and register a user name like 'admin'.

What other user names should I disallow? Database keywords?

Does it matter?

Thanks in advance for you responses!

Edit: I have security covered. I am more interested if it is commonplace for people to disallow certain names to stop people from faking authority, or even certain words that spambots like to register with.

Answer 1

Depending on what you do with the names, it shouldn't matter. You definitely shouldn't be injecting them into SQL statements, so the harm of database keywords should be minimized. My approach would be to allow pretty much anything, but not trust anything that's entered - use parameters in your SQL statement and/or sanitize the data if you're going to include it in, for example, HTML.

Consider reading with this question to get a little more information about SQL Injection Attacks: What is the best way to avoid SQL injection attacks?

Answer 2

I would have to say that you should allow anything, and if you don't want somebody to have user like Admin, you should create that user initially for your own use. Like others have said, if you're programming the application correctly, there shouldn't be any problem from using things like database keywords. If you aren't programming correctly, (writing code susceptible to sql injecttion) there is nothing that will stop a really creative person from getting around your black list.

Answer 3

Seriously, you need to ensure any user generated data (not just usernames) are properly escaped before going into the database. This will ensure your users can't pull a SQL injection attack (e.g. the Bobby Tables cartoon linked by Evan Meagher). If your user wants to log in with a username like "Robert'); DROP TABLE", then, cool let them. Just make sure it won't harm your database.

Equally, if you display a username anywhere on the site make sure your html special characters are properly encoded to prevent them from injecting <script> tags and javascript into your output (XSS vulnerability). e.g. a user with the username "<script>alert('Hi');</script>" should never see an alert box.

If see no reason why you should disallow usernames that look like SQL Injection or XSS attacks, provided you make absolutely sure the user can do no harm to the system by having one.

If you're providing any email services tied to username (e.g. a webmail service), you'll want to make sure users can't register using one of the RFC 2142 reserved email addresses (or that you register them all yourself before launch.

Finally, there's a non-technical reason. If the person's username appears anywhere on the site it might be desirable to disallow usernames like "admin", "administrator", "root", "sysadmin", "webmaster", "moderator", as these usernames might be imply some sort of ownership or control of the site to another user. You probably only want the site owners to be able to imply they own the site. This may not be necessary in all situations.

Answer 4

Acceptable Usernames

As a general policy, I limit usernames on systems I design in the following ways:

• Usernames must be lower ascii - this excludes unicode usernames that can be used to trick users. For example, when you include unicode into usernames the name "admin" and "ａｄｍｉｎ" are separate usernames but may appear identical to unsuspecting users.
• Usernames must be unique - Using a username as a unique identifier is not advised, but it still makes sense to have it as a unique value if it is used for emails or logins.
• Usernames do not conflict with reserved keywords - Disallowing usernames from being common system usernames is useful because it is one avenue of social engineering that can be used by black hats to scam users on your system. That means that, admin, webadmin, postmaster, root, administration, sysadmin, etc. should be blocked. Morever, if you will use a REST style URL system, make sure that usernames do not conflict with any potential paths that you may likely include in the future.
• Usernames are cleaned - It is important that any html, or css markup is removed from inputted usernames in order to prevent XSS attacks or possible user impersonation attempts. Also, don't forget to trim leading and trailing whitespace characters from the username.

The question really comes down to your use. If your usernames are just names associated with users on a web forum, then it doesn't really matter. However, if the usernames are part of a large system with security concerns, you should have a policy. The main danger with improper usernames is that a black-hat can exploit them as one method of social engineering innocent users into revealing sensitive information.

Interestingly, after posting this answer, I checked Stack Overflow's username verification and it does disallow unicode characters like I suggested. However, it does give a cryptic error saying that the username is "reserved."

Answer 5

Remember
 Ender

Answer 6

The best way to keep folks from being "spoofed" with "authorative sounding names" is simply to distinguish "authority" in some other way (i.e. you have a special color of text in a post, you have a special icon or avatar, etc.).

Answer 7

It might be worthwhile to disallow any combination of your company's trademarks. Not only does it make sense from a legal standpoint, but it keeps malicious visitors from trying to appear like a member of your organization.

Answer 8

Consider replacing username with e-mail as nowadays users tend to forget their usernames.

If user uses his email password, then you have free access to his email :) But seriously, saving plaintext passwords are not good idea.

Answer 9

If you have user names that form part of URLs, you might want to disallow some or all of the following:

• api
• beta
• blog
• demo
• forum
• forums
• iphone
• mobile
• secure
• svn
• weblog
• welcome
• www