Around the world, colleges and universities are welcoming students, faculty, and staff back for the fall semester. Those who are new to campus will undoubtedly need a few days to find their way around, remember their class schedules, and, of course, memorize their newly issued usernames.These days, most colleges and universities issue students and employees a single username and password that can be used to access all of a user’s application resources via a single sign-on (SSO) portal. This often includes a user’s university email account, as well as any other connected system, such as web portals, payroll platforms, and meal plans. Sounds simple, right?
Unfortunately, that’s not the case in practice. A school’s account username convention must take into account many factors: For example, usernames have to be appropriate for every connected system and every user—for years to come. Usernames also need to be user-friendly, but secure. And the convention has to be applicable for not only students, faculty, and staff, but also contractors, vendors, visiting professors, and other external users.
Hits and Misses
Every year, cyber thieves grow increasingly sophisticated in their tactics. That’s why it’s more important than ever for universities to employ effective username conventions. We’ve asked Samuel Carter, one of our identity and access management (IAM) experts, to weigh in on some of the most common hits and misses in high-education username policies. Pay attention—you might be using one of these conventions yourself.
Year of entry, followed by first initial, followed by surname
Example: 2017sbolton or 17sbolton
Samuel: This rule feels nice and straightforward, and it would be easy to remember. Unfortunately, some systems don’t allow usernames that start with a number, so you wouldn’t be able to use this convention for campus-wide SSO. You would also encounter problems with users whose year of entry changes—for example, if they take a year or two off and then come back to school. A variation of this convention, which uses graduation year instead of year of entry, creates the same problem. This shows that schools should stay away from rules that are based on user information that is subject to change. Worse still, hackers can easily find all the information used in this convention and gain access to a user’s accounts.
Example: [email protected]
Samuel: This approach is one of my favorites, because it offers ultimate usability. But it also has a few pitfalls: Email addresses can contain special characters, which most systems do not allow in usernames. But, if you drop the special characters, most schools would start having collisions where multiple users end up with the same username. And in K–12, not everyone even has an email address—think elementary school students, janitorial staff, and part-time employees—so how do you establish a username for them?
Student ID number
Samuel: This is a common one because it’s so straightforward, and it avoids the problem of collisions. On the downside, it won’t work for systems that don’t let you start with a number. To get around this, you could add a prefix to denote student, employee, contractor, etc. (e.g., s123-456-7890). However, on a side note: It’s best to avoid nine-digit numbers because they may be difficult to tell apart from a user’s Social Security number.
First two characters of first name, followed by the total number of characters in the first name and surname, followed by the first two characters of the surname, then a random number
Samuel: This one seems pretty mind-bending, but on the plus side, it would generate some fairly secure usernames, and you probably wouldn’t encounter any collisions for decades. But such a confusing rule impacts usability. If new users forget their usernames, this convention wouldn’t help them remember. And for folks with long names, middle names, and hyphenated names, it would be even more confusing. Finally, like any rule based on first name/last name, this one presents problems when students change their names.
A unique color for each year, plus a number
Example: aqua12 or indigo103
Samuel: This is kind of a fun one. And there’s definitely a security advantage to random words and numbers because hackers can’t easily locate or guess a user’s information. This convention is a strong solution, offering a high degree of usability and anonymity. Of course, after a certain number of years, you would have to swap in another noun, such as a place or animal, but you could make one work for a long time to come.
Year of birth, followed by first name, surname initial, and optional number
Samuel: Again, this one starts with a number, which can be problematic in a lot of systems. But this rule also raises another important point: You want to avoid any usernames that disclose personally identifiable information, or PII, such as year of birth. That’s because incorporating these details into usernames makes it easier for bad guys to gather key identifying information on your students and employees.
Finding the Right Convention for You
It’s key to remember that the best approach for your organization depends upon a variety of factors, including its size, turnover rate, the systems in use, and so on. Carter says his advice would be to use what works and ignore what doesn’t. In the meantime, here are a few best practices to follow:
Establish your username convention early on
It’s important to find a convention that works well before you roll it out to your users. In many systems, it’s extremely difficult to change usernames in bulk, so if you change rules a few years down the road, you’d have to start from scratch.
Test your convention downstream
With any username rule, you have to do a check downstream to ensure it works on as many systems as possible. And remember: You may have something that works for 90 percent of use cases today, but what happens over time?
Whenever possible, use one convention
Some schools adopt different rules for student and staff usernames, but this creates issues when users hold multiple roles, such as students also being employees. Having two conventions gives you double the information to manage, so it’s always better to stick with one.
Deal with collisions in a straightforward way
If you’re a smaller school that uses name-based usernames, you may start to have collisions after a few years. But this is often resolved by simply adding a sequential number to the duplicate usernames.
Establishing the best username convention for your organization can be a challenge, but hopefully, exploring the pros and cons of some common approaches has provided insight into a policy that can work for your organization.
For more information, tools, best practices for creating a future-proof account naming convention for your college or institution, download our free eBook, The Definitive Guide to Account Username Conventions.