Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Simply comparing the username selected by a new member to a list of existing usernames quickly show conflicts and denying the use of usernames already taken is very frustrating to the visitors of a web site.
I read the following statement on the Internet:
"In order to log in to the server, an authentication value derived from the password and username is passed to the server."
That probably means there could be an unlimited number of identical usernames using the same server if that value is used to identify the user.
Could anyone point to info, or explain how to do that because it obviously involves doing it on the visitor's machine.
But as you wrote this authentication value is based on usernames. Users still need they "usernames". If you allow users to have the same username, then it will be security issue, as these users can choose (by accident) also the same password, how you then distinguish them?
You can use emails as usernames, or you can also use OpenID or similar solutions.
If this is login form on website, you can make it less frustrating, by checking usernames during they writing it in the field, using Ajax techology. That way they get immediately feedback.
Well, consider the real world. Many people out here have identical names. So, how do you distinguish among all the different people called ,e.g., "John Doe?" Obviously not by just the name. (Nor the SSN, which cannot - by law - be used as a unique id number, but that's a different issue.)
So, you could assign the new user a unique password (giving the user the option of rejecting a proposed p/w and looking at another one). That would prevent the duplicated p/w problem.
As to the "Which John Doe do you mean?" question, that assumes that the user knows that "John Doe" is available in the system. They could only know that by somehow getting that information by reading the site's contents. So, you could record the name of posters and post readers and, when a post reader wishes to contact some other reader, you could ask them which "John Doe" among those who created posts they've read they mean.
Alternatively, you could create a "personal community" for each user, and let them add other users to their "community" with, for example, a right-click on the other user's name in a post. When there's a collision in their "personal community," you could let the user add a "nickname" or "identifying characteristic" to the duplicated name, and present the user with a names and characterizations when they want to communicate with someone in their community.
There may be other possible solutions (e.g., face pictures?), but, as I noted above, we have been dealing with the problem of "John Doe" for centuries.
Last edited by PTrenholme; 08-13-2011 at 11:57 AM.
I glanced at the paper I think you got the quote from. I gather that, at least for one of the features, the username is being used as a salt when the password is hashed. It's kind of weird, since normally you'd want the salt to be random, but in the end, usernames aren't intended to be secret (much like a salt) and I don't think there's anything technically wrong with using them as a salt in some cases (other than statistical deviations from pre-computing probabilities).
That said, I don't really understand the context in which this is all taking place, since I'm not familiar with this service.
As for this:
Quote:
Originally Posted by rblampain
That probably means there could be an unlimited number of identical usernames using the same server if that value is used to identify the user.
I don't know how you reached that conclusion. Could you elaborate? There needs to be a uniqueness. Otherwise, you'd be susceptible to collisions since people will be able to pick identical username/password combination, which would generate an identical message digest (in the scheme above), which would consequently make identification (and therefore authentication) impossible. Therefore, considering there is no mention of any other unique identifier in the paper AFAICT, I would say that the usernames are indeed checked for uniqueness prior to being made usable.
Thank you all for your explanations, I better understand the subject. If, under the scheme, the username still needs to be unique, then my assumptions were wrong and it offers no advantage.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
