7

I have on my site the ability for the user to choose his/her username that is 4-20 characters long.

But some users could have names like "Amy" "Eva", "Ian" etc.

Should I stick with 4 letters or go to 3 letters?

Are there any disadvantages from security point of view?

I am using trim and xss filt. on every user input and the words like admin etc. are restricted in my callback method.

Is it safe to go to 3 from 4 letters?

  • 2
    I think you should be bothered only with username duplication, and information disclosure if username already taken :) (it is not always an issue). – damiankolasa Dec 04 '12 at 07:20
  • So 3 or 4 characters is no difference - from the security point of view? Because the tank auth library (I am using CodeIgniter framework) has default settings for min username lenght set to 4 and max to 20. That's why I am asking if it is a reason for that or not? Another example that comes to my mind right now is PIN code on my phone. It is also 4 cahracters long. But again it is password and not username ;). So, do you think it is safe to go with 3 characters? If yes, try to post your answer as an answer instead of comment so I can possibly chose your answer as the winning one. Thanks. –  Dec 04 '12 at 07:32
  • 3
    It can be an issue if attacker is using exaustive search, for both username and password. But it's not likely, as you mentioned you have an admin user, so attacker already knows at least one username. It will be a change in security but I don't think it's dramatic and worth all the hustle. Usernames are not secret and you should not treat them like such. Put constraints on passwords not usernames :). – damiankolasa Dec 04 '12 at 07:44
  • Its pretty safe to assume there is a reason the defaults are set 4-20 characters. Unless you understand those reasons, and only the author of CodeIgniter could make those reasons known, I wouldn't be changing defaults. The only exception is if somebody who understood the reasons said otherwise, for example, some of the defaults in a PHP installation can be unsafe and the typical advice is to change them to something else. – Ramhound Dec 04 '12 at 12:29
  • It is a library Tank Auth Library. He is not the author of CodeIgniter PHP framework. Do you have any valid arguments to support your statement"Its pretty safe to assume there is a reason the defaults are set 4-20 characters."? –  Dec 04 '12 at 13:10
  • even 1 char would be OK :) – niilzon Aug 22 '17 at 13:17
  • What of two characters long do you know? – Darlington Nov 28 '17 at 11:08

1 Answers1

16

There's no difference from a security perspective - the authentication strength should come from the password, not the username.

However, I wouldn't put a minimum of 3 characters on a username. In China alone, there are over 700,000 people with the given name Na or Li, and there are plenty more one-character and two-character names. Add that to the fact that names don't even need to be made of ASCII letters, and you're running into problems. Granted, you can probably enforce ASCII for your purposes, since most names consisting of non-Roman characters can be represented with the standard A-Z alphabet in some way.

I highly recommend you read Falsehoods Programmers Believe About Names and absorb the crazy facts within it. You can reasonably safely ignore some of the more esoteric issues (e.g. Klingon names) but be aware that there are people whose names do not fit in with any single standard model you can come up with.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • 1
    The article you link seems to be mostly about real names. Usernames may be derived from real-names but they should be simplified so everyone in the organisation can remember and type them easilly. To me that means a-z, 0-9 and a handful of basic punctuation. – Peter Green Mar 24 '16 at 13:47