We’ve put together a short list of some best practices for unique login names.
- Users having a unique name is important for auditing and security. Define a method early on to help assure users are always unique across all systems and helps pinpoint any security and audit concerns quickly.
- Avoid recognizable naming standards. Such as including first or last names. This may help the end user remember their ID, but it helps intruders quickly assume who they are attempting to login as and possible rights that user may have to various systems.
- Administrators shouldn’t all start with “srv”. If certain users are created differently than other users, try to use a naming standard that can’t be easily assumed. Maybe have all service accounts start with a given number.
- Best to have all of types accounts have the same unique naming, such as all accounts being a number. User 53421 may be an employee, 53422 may be an Administrator and 53423 may be a contractor. This may seem difficult for auditing, but a SIEM with analytics would see normal behavior for a given user type over time. You could have employeeType distinguish the type of user and expose this attribute to only given Administrative Roles.
- Naming convention best practices:
● Avoid special characters in the name
● Avoid long names - Avoid ever renaming an account
- Allow for a system that can allow a user to lookup their username and password, to help limit help desk calls. A product like NetIQ Self Service Password Reset (SSPR) is highly recommended.
NetIQ IDM Use Cases:
● A third party system generates a unique name, such as an HR system. Use this to generate the login ID and enforce connected systems to use the same login ID
● Generate a Random number and then use the unique name token to confirm that the loginID is indeed unique within the Identity Vault.