Taking steps to eliminate ambiguity when discussing the design and security of an access control system will ensure that the right steps are being taken to strengthen security.
Using terms such as "username" carelessly can occasionally lead to misunderstandings, particularly when discussing the design and security of an access control system. Taking steps to eliminate ambiguity from the use of such terms can help clarify your meaning, and ensure that the right steps are being taken to ensure security.
At times, a discussion of the various names, passwords, and identifiers associated with a given account can become confused if people do not all use the same terms in the same ways. A simple set of common definitions can help clarify discussion, and avoid confusing ambiguity or miscommunication. The example of the ambiguity that can arise when discussing usernames and other identifiers is only one example of the way careless use of technical terms can cause problems, but it is illustrative of the problem.
The difficulty is that some terms people use in such discussions do not have specific, "official," or standardized meanings, but have arisen in general usage that is not very precise as to the intent behind the term. Some generalizations can be made, however, and if these are kept in mind they may help reduce the potential for misunderstandings.
Four key pieces of data that are typically important to differentiate include:
- The two pieces of data one must normally enter at login.
- The identifier used by the system behind the scenes to refer to a given user account.
- An identifier that is presented to the world.
The profile name is never intended to be a secret, except insofar as access to one's profile might be restricted to a particular class of people. It is certainly not something kept under wraps for everyone except the user whose account has a profile name associated with it, however. In fact, the primary reason for a profile name is to provide a name by which other people may differentiate one account from others.
In many cases, especially those where the profile name is identical to the login name, a profile name may be called a username, which can unfortunately cause some misunderstandings to arise between people who are each referring to a different datum when they use the word username. Another term that is occasionally used for a profile name is alias, though there are times that aliases may be arbitrarily set by others in reference to a given profile name for the specific personal use of the person setting the alias.
In cases where it is known that the profile name and the username will be identical, or where the system in question sets a standardized term of username for the profile names of accounts, using username to refer to a profile name may be appropriate. In cases where it is known that a login name and a profile name are not necessarily the same — or may even be necessarily different — and the system itself does not present the term username as the official term for a profile name, the term username should probably be avoided, however.
In such cases, use either the term profile name or whatever official term the system supplies for it; this is the best choice for how to refer to the profile name. Even more ambiguous than username is the very vague account name, which should be avoided except in cases where profile and login names are identical and there are no other potential ambiguities that may arise.
The login name can be regarded as "secret" to some extent, at least sometimes. This is by no means a universal or defining characteristic of a login name, however. In fact, in many cases, a login name may be necessarily public, as in the case of most Webmail providers, which require the use of one's email address as the login name. The purpose of the login name is not to provide a secret code for entry, but to give the user a name to use for logging in that identifies the user to the system, so that the system knows which account is being accessed by that user. Anything else is secondary to this.
Employing randomized, complex login names, unique to each login context — a different randomized username for one's online banking site than for one's email — is a technique used by some to increase the difficulty of cracking security on the account. The value of doing so is typically very small, and the question of whether that value is greater than the cost of the added effort involved is difficult to answer in the general case; but for a person whose login information management procedures easily handle this behavior, there is really no downside to doing so in cases where the login name does not map directly to a profile name. As such, if that describes you, and you feel that it may enhance the security of your account, go ahead and do so.
The term most commonly used for a login name is username. In cases where there is no profile name, or where the profile name and login name are necessarily identical, use of the term username to refer to the login name should not contribute to any miscommunication. In cases where ambiguity exists, however, or where one is not certain whether such ambiguity technically exists in how the system manages login names, one should probably stick to the term login name to be perfectly clear. As with profile names, the term account name is best avoided except in cases where login and profile names are necessarily identical, or where there is no profile name, and other potential ambiguities will not arise.
An identifier used behind the scenes by the system to track a given user account is typically known as a user ID, or UID. In many cases, especially in the cases of operating system accounts and account data managed by relational databases that use integer primary keys, the UID is a numeric code that is unique to the user account in question, and is not identical to any login or profile names. For some less complex systems, such as lightweight Web applications and simplistic data management applications (like some contact information managers), the user ID for the application may actually be identical to the login name, but for most cases where strict access control is important, this will not be the case.
For simplicity's sake, such identifiers should be referred to as user IDs, UIDs, or GUIDs (for "global unique identifiers"), depending on circumstances and preferences. In cases where user accounts may also belong to group accounts, the term group ID (abbreviated GID) is typically used for those group accounts. Occasionally, someone might take user ID or UID to refer to a login or profile name; in such cases, there is not much one can do to prevent such misunderstandings other than clarify up front that such account identifiers will be referenced by way of terms like login name and profile name.
It is unfortunate that such confusion happens, but ambiguities inevitably crop up when dealing with jargon and technical terms that evolve on their own. With a clear understanding of what terms mean, and where the points of confusion exist, the ambiguity can be controlled — not only with regard to the matter of account names, but in relation to any discussion of technical matters. When security is involved, misunderstandings can be not only confusing, but even dangerous.
The simplest case where security might be affected is probably where someone uses the term UID to refer to a login name, or where a misunderstanding of the applicability of a term gives rise to a misunderstanding of how an identifier or password should be used. In fact, part of understanding which terms should be used to refer to which components of an authentication and account management system is understanding what the terms themselves actually mean, and by extension the primary purpose of each term.
Without that clarity of understanding, the notion that a login name should be as secret and complex as a password might arise. This does not do any damage itself but may then lead to later misunderstandings and a focus on the wrong components of a system when attempting to determine how best to secure accounts. If equal attention is paid to both login names and passwords, for instance, trade-offs may be made that relax security on the password in favor of increasing "security" for the login name or, perhaps even worse, the tendency to use both as passwords of a sort may lead to a belief that increasing the convenience of password management at the expense of security is reasonable and acceptable because it is shored up by the "security" of the login name.
The key, then, is to ensure that you first understand the components of a system to which terms refer and the purposes of those components; second, understand how to use terms in a manner that minimizes ambiguity and the potential for confusion; and third, actually employ that knowledge to ensure that people involved in the discussion are all on the same page.
In the discussion following a recent article, "Fight back against bad password policy," some of us forgot to keep the discussion clear. As a result, I think some may have come away from that discussion with misunderstandings, both about what others were saying and about how the components of an access control system are best used. We all need to remind ourselves from time to time to think about the clarity or ambiguity of the terms we are using in a technical discussion. Hopefully, this article serves that purpose.