Problem solve Get help with specific problems with your technologies, process and projects.

Changing user IDs and passwords

Learn why organizations should limit the number of username changes in this identity and access management ATE Q&A.

Why would someone limit the number of username changes, but not the number of password changes?
Frequently changing passwords keeps hackers -- who try to steal them -- out. In fact, this process should be part of any information security policy and strictly enforced. So, it would make sense to allow users to change their passwords as often as they like. On the other hand, usernames should be strictly monitored because the opposite holds true for them. Sound confusing? Let me explain.

A user ID uniquely identifies every single user, a password doesn't. A password is an authentication mechanism,...

not an identifier. Every user accessing your system should have a distinct, and individual, user ID. No two should be alike. Since passwords are secret, two different users – with different user IDs – could conceivably pick the same password, and the system wouldn't be compromised. Why? Because despite having the same password, the two users still have their own unique IDs and therefore, couldn't access each other's accounts.

On the other hand, if users are allowed to change their IDs at will, a malicious user could create a phantom account, meaning one user with two IDs: an open one for legitimate uses and a covert one with unauthorized access to the system for underhanded purposes.

This isn't immediately intuitive. If allowing frequent password changes makes the login credentials more secure, shouldn't the same be true for frequent user name changes? Not exactly. Again, think about the difference between the two. Although they're used together, they're very different. One is an identifier (the user ID), the other an authenticator (the password).

Therefore, a good rule of thumb for updating login credentials is to allow password changes, but not user ID changes.

This was last published in December 2005

Dig Deeper on Privileged access management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.