Developing a company-wide account username convention as part of a company’s enterprise password management strategy is an important and challenging task. For organizations managing more than one set of credentials for their various systems and applications, a best practice is to consolidate all credentials into a single, enterprise-wide account username convention.
When planning a new convention for user accounts, an organization or identity management project lead must consider four critical drivers: usability, security, administration, and audit. While the goal is to develop a convention that balances the four drivers, we recommend that your organization ranks them in order of priority. Drivers with a lower priority are areas with the most flexibility.
To help your organization define and prioritize conventions, consider these four drivers.
Usability is a top concern for end users and helps drive adoption of new username conventions, as well as the entire identity and access management (IAM) solution. The username is one of the very first interactions a user will have with the new system, so organizations that prioritize user satisfaction should place usability as their top priority. Name-based conventions, such as “jdoe” or “johndoe,” are typical account-naming conventions in this scenario.
The primary security concern with user-friendly usernames is that they can lead to unauthorized access. After all, easy-to-remember usernames are also easy to guess, resulting in an attacker having half of the credential equation with little to no effort. The typical account-naming convention in a security-prioritized convention is a system-generated account name that is not directly linked to identity data in any way. Randomized account username conventions also deal with security concerns around personally identifiable information, because the username values cannot be linked back to a person. Some examples are using four letters and numbers (e.g. qlvz4426) or combining words from a range of different categories (e.g., biscuitcrispy).
Username convention plays an important role in the management and support of an IAM solution. Help-desk users and other administrative users must be able to quickly and easily locate user accounts. However, searching by name alone usually returns multiple users with the same first and/or last name. Because the username is typically used as the key search value, being able to identify a user based on his or her username is the preferred scenario when administration is prioritized.
A typical account-naming convention in this scenario is based on a full name, such as “Public, John Q.” (e.g., jqpublic) or “Jane Doe” (e.g., jdoe). In the event of a duplication, a numerical value is typically appended to the username (e.g., jdoe2).
Organizations must be able to run reports that show the access history of specific users. This requires a naming convention in which the username does not change (such as a primary key in a database), because access logs normally only store usernames and not a global unique identifier. A unique identifier from an authoritative data source, like employee ID for staff or contractor ID for external workers, would be the typical username convention in this scenario.
These are typically numerical identifiers, such as 234567890 or 3456543456. However, if an employee or contractor ID is a Social Security number or Tax ID, an alternative unique identifier should be used. Although IAM systems support renames and tracking historical accounts, most third-party systems do not. As such, access logs cannot be guaranteed to resolve to the appropriate user.
Interested in learning more?
These guiding principles are the cornerstone of the hundreds of IAM implementations. Our Definitive Guide to Account Username Conventions provides a valuable perspective for organizations looking to implement enterprise-wide username conventions.
Now that you know the four critical drivers and how to prioritize them, download the guide to get our step-by-step methodology and all the tools to develop an enterprise-wide account username convention that's optimal for your organization.
Download our guide today to learn how to adapt this methodology to fit your organization’s needs.