Q

Changing user IDs and passwords

Learn why organizations should limit the number of username changes in this identity and access management ATE Q&A.

Why would someone limit the number of username changes, but not the number of password changes?
Frequently changing passwords keeps hackers -- who try to steal them -- out. In fact, this process should be part of any information security policy and strictly enforced. So, it would make sense to allow users to change their passwords as often as they like. On the other hand, usernames should be strictly monitored because the opposite holds true for them. Sound confusing? Let me explain.

A user ID uniquely identifies every single user, a password doesn't. A password is an authentication mechanism, not an identifier. Every user accessing your system should have a distinct, and individual, user ID. No two should be alike. Since passwords are secret, two different users – with different user IDs – could conceivably pick the same password, and the system wouldn't be compromised. Why? Because despite having the same password,...

the two users still have their own unique IDs and therefore, couldn't access each other's accounts.

On the other hand, if users are allowed to change their IDs at will, a malicious user could create a phantom account, meaning one user with two IDs: an open one for legitimate uses and a covert one with unauthorized access to the system for underhanded purposes.

This isn't immediately intuitive. If allowing frequent password changes makes the login credentials more secure, shouldn't the same be true for frequent user name changes? Not exactly. Again, think about the difference between the two. Although they're used together, they're very different. One is an identifier (the user ID), the other an authenticator (the password).

Therefore, a good rule of thumb for updating login credentials is to allow password changes, but not user ID changes.

This was first published in December 2005

Dig deeper on Enterprise User Provisioning Tools

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close