University email WTF



  • This isn't a major WTF, but at the time I think it did actually make me go "WTF" out loud.

    At my old university, your username / email address was <initials><last-name>, up to six characters. So, if your name was "A.N. Other" your username would be anothe.

    One of my friends, Andy Hall, had the email address: arhalll - with three 'L's on the end -- apparently there was an "arhall" already.

    I was just wondering what kind of braindead script repeats the final letter of a username when creating a user, if a user with the same username already exists? What's wrong with arhall1, arhall2, or something like that?

    Or trying with other characters i.e. ar_hall or something like that...

    Just struck me as being a bit strange!


     



  • @PhillS said:

    I was just wondering what kind of braindead script repeats the final letter of a username when creating a user, if a user with the same username already exists? What's wrong with arhall1, arhall2, or something like that?

    You need to apply Occam's Razor to figuring this one out.  If it seems that the script would be unnecessarily complex to accomplish this effect, consider the possibility that there is no script, and that this is the handiwork of a misguided sysadmin.


     



  • @PhillS said:

    This isn't a major WTF, but at the time I think it did actually make me go "WTF" out loud.

    At my old university, your username / email address was <initials><last-name>, up to six characters. So, if your name was "A.N. Other" your username would be anothe.

    One of my friends, Andy Hall, had the email address: arhalll - with three 'L's on the end -- apparently there was an "arhall" already.

    I was just wondering what kind of braindead script repeats the final letter of a username when creating a user, if a user with the same username already exists? What's wrong with arhall1, arhall2, or something like that?

    Or trying with other characters i.e. ar_hall or something like that...

    Just struck me as being a bit strange!


     

    The IRC client I use, if "Random832" is taken (usually due to the connection having dropped and the server thinking i'm still online), uses the name "Random833" - I guess it's just assuming that it already made over eight hundred attempts.



  • @Critter said:

    @PhillS said:

    I was just wondering what kind of braindead script repeats the final letter of a username when creating a user, if a user with the same username already exists? What's wrong with arhall1, arhall2, or something like that?

    You need to apply Occam's Razor to figuring this one out.  If it seems that the script would be unnecessarily complex to accomplish this effect, consider the possibility that there is no script, and that this is the handiwork of a misguided sysadmin.

    In other words, Clarke's law of shell scripts: Any sufficiently complex script is indistinguishable from a (competent or otherwise, depending on the script) sysadmin



  • you want to hear a real university WTF? the college i went to was appending the last 4 ssn numbers to an email address! and of course, your first 3 number are pretty easy to guess, leaving 2 digits left... 1 out of a 100 anyone? it gets better, if you forgot your email password, you provide your ssn, if you put in the wrong ssn, it tells u!



  • @Vechni said:

    you want to hear a real university WTF? the college i went to was appending the last 4 ssn numbers to an email address! and of course, your first 3 number are pretty easy to guess, leaving 2 digits left... 1 out of a 100 anyone? it gets better, if you forgot your email password, you provide your ssn, if you put in the wrong ssn, it tells u!

    Four digits. Of which three are easily guessable, leaving two. What arithmetic are you using where 4 = 3 + 2 ?

    Using SSN digits as part of an email address is not a problem. If the ENTIRE SSN is required to reset a forgotten password, that's not a problem either (although not the most secure means). 



  • @m0ffx said:

    @Vechni said:

    you want to hear a real university WTF? the college i went to was appending the last 4 ssn numbers to an email address! and of course, your first 3 number are pretty easy to guess, leaving 2 digits left... 1 out of a 100 anyone? it gets better, if you forgot your email password, you provide your ssn, if you put in the wrong ssn, it tells u!

    Four digits. Of which three are easily guessable, leaving two. What arithmetic are you using where 4 = 3 + 2 ?

    Using SSN digits as part of an email address is not a problem. If the ENTIRE SSN is required to reset a forgotten password, that's not a problem either (although not the most secure means). 


    Except the original post mentioned that it will tell you if the SSN and email don't match up, meaning you could easily write a script to get someone's ssn from their email.



  • @m0ffx said:

    @Vechni said:

    you want to hear a real university WTF? the college i went to was appending the last 4 ssn numbers to an email address! and of course, your first 3 number are pretty easy to guess, leaving 2 digits left... 1 out of a 100 anyone? it gets better, if you forgot your email password, you provide your ssn, if you put in the wrong ssn, it tells u!

    Four digits. Of which three are easily guessable, leaving two. What arithmetic are you using where 4 = 3 + 2 ?

    Using SSN digits as part of an email address is not a problem. If the ENTIRE SSN is required to reset a forgotten password, that's not a problem either (although not the most secure means). 

     

    What arithmatic are you using? There are 9 digits in a SSN. The last four are on the email. The first three follow a pattern that can be determined with knowledge of the student's birthday and place of birth. That leaves the middle two numbers, which only have 100 different values. (00 through 99)

     3 + 2 + 4 = 9
     



  • At my old school, they must have done it by hand, and the sysadmin had a bit of a sense of humor -- pretty rare for sysadmins. The username was built up of the short year 1996 at the time, so 96. The form we were in A-F, the initial of your first name, and your full name.

    I had a friend who was in form F, who was called 'A. Theria....' there is more but It's not relevent. His username, as you may have guessed, is 96FATHER. Amusing, and simple you would think, a length of 8 letters for the username, creates father. Except my name last name is 11 long, and I had all of it. So the sysadmin must of deliberately stopped to give my friend that username.



  • @NerfTW said:

    @m0ffx said:

    @Vechni said:

    you want to hear a real university WTF? the college i went to was appending the last 4 ssn numbers to an email address! and of course, your first 3 number are pretty easy to guess, leaving 2 digits left... 1 out of a 100 anyone? it gets better, if you forgot your email password, you provide your ssn, if you put in the wrong ssn, it tells u!

    Four digits. Of which three are easily guessable, leaving two. What arithmetic are you using where 4 = 3 + 2 ?

    Using SSN digits as part of an email address is not a problem. If the ENTIRE SSN is required to reset a forgotten password, that's not a problem either (although not the most secure means). 

    What arithmatic are you using? There are 9 digits in a SSN. The last four are on the email. The first three follow a pattern that can be determined with knowledge of the student's birthday and place of birth. That leaves the middle two numbers, which only have 100 different values. (00 through 99)

     3 + 2 + 4 = 9
     

    I thought you meant people were trying to guess those four digits (in
    the case where they don't know the email). Not the whole SSN.
     



  • How are the first three easily guessable?  You have to know the ZIP code from which the victim's SSN was applied (this is not necessarily where they live or even where they were born), then start guessing because the SSA only lists what numbers belong to what states, not the specific ZIP codes.  For example, Pennsylvania has 52 three-digit prefixes, so multiply THAT by 99 to find out the number of guesses (00 is not used).



  • @Lingerance said:

    Except the original post mentioned that it will tell you if the SSN and email don't match up, meaning you could easily write a script to get someone's ssn from their email.

    I can't imagine why you would do that, rather than simply getting it from one of the more-or-less public databases.

    You didn't think it was a secret, did you? Choicepoint and others have been selling that stuff for decades.
     



  • I can't wait until Sean Hit signs up.




  • @fredfred said:

    I can't wait until Sean Hit signs up.


    At my uni, he'd get hit or seanh or something unless he's me, then he'd get swh45. 

    All my friends got their last name or some combination of first and last like mthompson or something as a userID.  Me?  My initials and a number.  Thanks IT.  



  • @operagost said:

    How are the first three easily guessable?  You have to know the ZIP code from which the victim's SSN was applied (this is not necessarily where they live or even where they were born), then start guessing because the SSA only lists what numbers belong to what states, not the specific ZIP codes.  For example, Pennsylvania has 52 three-digit prefixes, so multiply THAT by 99 to find out the number of guesses (00 is not used).

    There are going to be some prefixes that are over-represented (e.g., those within a 100 mile radius of the school), and it wouldn't be too hard to figure a few of them out.



  • Lurker here, I can't help but add to this.  My college uses a similar system, taking the first five letters of the last name and the first letter of the first, then a number corresponding to the number of times this combo has been used before.  So your Andy Hall would be arhall2.  I know a John Nguyen who claims to be the thirteenth nguyej; what about all of the J Nguyens at your school?  nguyejjjjjjjjjjjjj@wtfu.edu ???



  • @bugmenot1 said:

    Lurker here, I can't help but add to this. My college uses a similar system, taking the first five letters of the last name and the first letter of the first, then a number corresponding to the number of times this combo has been used before. So your Andy Hall would be arhall2. I know a John Nguyen who claims to be the thirteenth nguyej; what about all of the J Nguyens at your school? nguyejjjjjjjjjjjjj@wtfu.edu ???

    I didn't notice any while I was there, but if I come across any I will let you know!

    it would be interesting to see how it coped with three people having the same name...
     



  • @PhillS said:

    @bugmenot1 said:

    Lurker here, I can't help but add to this. My college uses a similar system, taking the first five letters of the last name and the first letter of the first, then a number corresponding to the number of times this combo has been used before. So your Andy Hall would be arhall2. I know a John Nguyen who claims to be the thirteenth nguyej; what about all of the J Nguyens at your school? nguyejjjjjjjjjjjjj@wtfu.edu ???

    I didn't notice any while I was there, but if I come across any I will let you know!

    it would be interesting to see how it coped with three people having the same name...
     

    My university uses initials (it seeming highly arbitrary whether middle names are included or not), then numbers issued in sequence. All are 5 characters - the first two (presumably) are always initials, I've never seen the last one not a number, though I have seen 4 letters (the SAME letter!) followed by a number (which wasn't 1!)

    Short, easy to remember one's own, quick to type (it's used for lots of other logins too), but impossible to remember anyone else's, and means there are only about 12 million possible addresses, making things possibly a bit easy for spammers.



  • @m0ffx said:

    My university uses initials (it seeming highly arbitrary whether middle names are included or not), then numbers issued in sequence. All are 5 characters - the first two (presumably) are always initials ... and means there are only about 12 million possible addresses, making things possibly a bit easy for spammers.

    We were a combination of UNIX and Novell Netware. Your e-mail address was your initials and full surname, e.g. D.G.Beardsmore, and an inner number for a duplicate, ISTR, e.g. J.R.3.Smith. The corresponding UNIX server username was a valid substitute, and these -- for students -- were five characters, formed of two initials, then a digit and two characters, e.g. bd3ad in my case.

    To log into a Windows PC in the library, your username and password sufficed. However, Novell Netware also divided everyone into "contexts" and while Windows Netware could derive this from your username, Mac Netware could not. There was a huge red tome of every person at the entire university available for you to look up your Netware context (four letters, mine was something like 'eqbk') to log into a Mac.

    The irony was that in the first year, Netware for Windows (especially Zen) was hopelessly slow and unstable. Practical classes in a library PC area would take 15 minutes to log you in, and then ZENworks would die and you'd not be able to launch any more software without logging back out and then in again (you could ask to restart ZENworks but that never worked).

    As a result, I would use the Mac areas just to get a computer that would log in rapidly. The Macs also had much larger screens (17" instead of what felt like 12" on the PCs). That was how I came to learn about the Motorola StarMax 3000/200, and after the first year (this was 2000) I replaced my ageing Win 3.11 486 (!) and 68020 System 7.1 Mac (!!!) with a StarMax 4000/200.



  • My university also used Novell Netware (I think), which imposed an 8 character username limit. The default format was initials surname (e.g. John C Smith was jcsmith), but if that was not available for whatever reason the fallbacks seemed to be somewhat arbitrary.  Sometimes they'd tack a number on the end, which also seemed to be arbitrary, I had friends who had 0s and 2s at the end of their username.  Others just had the username reversed (A. Warwick got warwicka).  If your name didn't fit in the 8 characters, you'd get your initials (e.g. I got "amn"), or some other arbitrary allocation -- a guy I know whose name was Charles [some really long surname] simply got "charlie" as his username.  No fair!  

    As a side note, university staff didn't use the same system and had First.Last as their usernames.  Not sure why students couldn't have the same form.



  • You all must have fancy networks since my uni email address was just my student number @mail.connect.example.edu.au. (Yes, including the "mail")

    Student numbers began with a Q, D or W (depending whether you went through QTAC, direct or web for initial application), then the year, then 5 numbers assigned sequentially starting at 10000. eg q98xxxxx. I think they changed this in 2000 as it couldn't cope with q00 so it became q10.

    Real student numbers had another number (or 'X') on the end as a check digit, but this was not used in the labs. They've changed all this now anyway with the introduction of people soft.

    I have a WTF with usernames. I did some work in a government department and we got a notification that there was a username collision. This was six months after the second one started working. Somehow there were two apwilso accounts. The request came through to change the one who was there for two years. I guess this happens when there are multiple systems in use where some can handle long names and others can't! This collision was stopping Notes from working properly for one of the apwilsos.

    Edit: Collision avoidance was done by changing it to azwilso. I guess next would have been axwilso then aqwilso. If someone didn't have a middle name they got an honourary middle name of "Z", even in the full name of Notes: "Random Z Person".


Log in to reply