#security on software development security and web security, security best practices and discussions, break-ins and countermeasures. Everything you ever wanted to know about software security but were afraid to ask, for fear of not understanding the answer!
All right, now after the lengthy discussion on user names and ids let’s have some simple rules:
Do not use sequential numbers for user ids.
Do use random numbers for user ids.
Do not use any scheme for user names that ties (semi-)public user information to the user name.
Use user nicknames (aliases) if “natural” user names are not sufficiently unpredictable.
Allow users to change user names.
The last point was not mentioned previously but it is quite logical, isn’t it? The system identifies the user by a fixed random user id. But the user identifies itself to the system by a nickname that can be changed once the user is logged in and his id is known.