-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jason,
~ You could probably get by with skipping a random number between 100 and 1000
in between each UserID that gets created. You could also just use a hash of the
number, but I assume that the users will have to know (and use) their UserID. In
that case, I would question why the numbers at all? Wouldn't a chosen username
(or one based on their name) be better? The UserID could still be used on the
back-end, and the chance of a DoS goes away.
The random string would work, but would be (a) hard to remember, and (b) no
better than a hash of a sequential number + salt.
You can determine the keyspace requirements by:
M = maximum number of users
P = chance of guessing a valid UserID (brute force)
K = number of guesses one could expect before being noticed
Then the keyspace would need to be at least M*K/P. You're probably going to have
something like M=10000, P=0.0001, K=1000, so the keyspace size is 100 billion,
or about 37 bits.
- -Mike
Jason binger wrote:
| I have a customer that generates UserIDs as numbers
| sequentially for a critical application. They
| implement account lockout and I am concerned that
| someone could launch a DOS and lockout all the user
| accounts.
|
| What would people recommend for a user ID generation
| method.
|
| I was thinking UserIDs should be randomly generated
| from a large alpha-numeric keyspace, but how big
| should the keyspace be?
| What would the size of the keyspace need to be if it
| was only numeric?
|
| Any other thoughts appreciated.
|
| Cheers,
|
|
|
| __________________________________
| Do you Yahoo!?
| Yahoo! Small Business - Try our new resources site!
| http://smallbusiness.yahoo.com/resources/
|
- --
Michael Scovetta
Scovetta Labs
www.scovettalabs.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFCXfDDK5Y2cJWwwk0RAgGwAJ9EEYbtH0k6KHnPb5CWyjCbz9K/1QCfY+FT
WBeOPAMeMp/r4e/ccOGkhT4=
=S9oP
-----END PGP SIGNATURE-----
