Why would someone limit the number of username changes, but not the number of password changes?

    Requires Free Membership to View

Frequently changing passwords keeps hackers -- who try to steal them -- out. In fact, this process should be part of any information security policy and strictly enforced. So, it would make sense to allow users to change their passwords as often as they like. On the other hand, usernames should be strictly monitored because the opposite holds true for them. Sound confusing? Let me explain.

A user ID uniquely identifies every single user, a password doesn't. A password is an authentication mechanism, not an identifier. Every user accessing your system should have a distinct, and individual, user ID. No two should be alike. Since passwords are secret, two different users – with different user IDs – could conceivably pick the same password, and the system wouldn't be compromised. Why? Because despite having the same password, the two users still have their own unique IDs and therefore, couldn't access each other's accounts.

On the other hand, if users are allowed to change their IDs at will, a malicious user could create a phantom account, meaning one user with two IDs: an open one for legitimate uses and a covert one with unauthorized access to the system for underhanded purposes.

This isn't immediately intuitive. If allowing frequent password changes makes the login credentials more secure, shouldn't the same be true for frequent user name changes? Not exactly. Again, think about the difference between the two. Although they're used together, they're very different. One is an identifier (the user ID), the other an authenticator (the password).

Therefore, a good rule of thumb for updating login credentials is to allow password changes, but not user ID changes.

This was first published in December 2005

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: