Acceptable Usernames

As a general policy, I limit usernames on systems I design in the following ways:

作为一般政策,我通过以下方式限制我设计的系统上的用户名:

• Usernames must be lower ascii - this excludes unicode usernames that can be used to trick users. For example, when you include unicode into usernames the name "admin" and "ａｄｍｉｎ" are separate usernames but may appear identical to unsuspecting users.

用户名必须低于ascii - 这将排除可用于欺骗用户的unicode用户名。例如,当您将unicode包含在用户名中时,名称“admin”和“admin”是单独的用户名,但可能看起来与不知情的用户相同。

• Usernames must be unique - Using a username as a unique identifier is not advised, but it still makes sense to have it as a unique value if it is used for emails or logins.

用户名必须是唯一的 - 不建议使用用户名作为唯一标识符,但如果将其用作电子邮件或登录,则将其作为唯一值仍然有意义。

• Usernames do not conflict with reserved keywords - Disallowing usernames from being common system usernames is useful because it is one avenue of social engineering that can be used by black hats to scam users on your system. That means that, admin, webadmin, postmaster, root, administration, sysadmin, etc. should be blocked. Morever, if you will use a REST style URL system, make sure that usernames do not conflict with any potential paths that you may likely include in the future.

用户名与保留关键字不冲突 - 禁止用户名成为常见的系统用户名非常有用,因为它是社交工程的一种途径,黑帽子可以使用它来欺骗系统上的用户。这意味着,应该阻止admin,webadmin,postmaster,root,administration,sysadmin等。更重要的是,如果您将使用REST样式的URL系统,请确保用户名不会与您将来可能包含的任何潜在路径冲突。

• Usernames are cleaned - It is important that any html, or css markup is removed from inputted usernames in order to prevent XSS attacks or possible user impersonation attempts. Also, don't forget to trim leading and trailing whitespace characters from the username.

用户名被清除 - 重要的是从输入的用户名中删除任何html或css标记,以防止XSS攻击或可能的用户冒充尝试。另外,不要忘记从用户名中修剪前导和尾随空格字符。

The question really comes down to your use. If your usernames are just names associated with users on a web forum, then it doesn't really matter. However, if the usernames are part of a large system with security concerns, you should have a policy. The main danger with improper usernames is that a black-hat can exploit them as one method of social engineering innocent users into revealing sensitive information.

问题实际上取决于您的使用。如果您的用户名只是与网络论坛上的用户相关联的名称,那么这并不重要。但是,如果用户名是具有安全性问题的大型系统的一部分,则应该有一个策略。用户名不正确的主要危险是黑帽子可以利用它们作为社会工程无辜用户泄露敏感信息的一种方法。

Interestingly, after posting this answer, I checked Stack Overflow's username verification and it does disallow unicode characters like I suggested. However, it does give a cryptic error saying that the username is "reserved."

有趣的是,在发布这个答案之后,我检查了Stack Overflow的用户名验证,它确实禁止像我建议的unicode字符。但是,它确实给出了一个神秘的错误,说用户名是“保留的”。

In all seriousness though, filtering out names containing potentially-malicious code is a good idea. Beyond that, any anti-hate/troll/spam/* censorship is up to you and/or your community.

但是,严肃地说,过滤掉包含潜在恶意代码的名称是个好主意。除此之外,任何反仇恨/巨魔/垃圾邮件/ *审查都取决于您和/或您的社区。

The best way to keep folks from being "spoofed" with "authorative sounding names" is simply to distinguish "authority" in some other way (i.e. you have a special color of text in a post, you have a special icon or avatar, etc.).

保持人们不被“授权的名字”欺骗的最好方法就是以某种其他方式区分“权威”(即你在帖子中有特殊的文字颜色,你有特殊的图标或头像等等) )。

If you have user names that form part of URLs, you might want to disallow some or all of the following:

如果您的用户名构成了URL的一部分,则可能需要禁用以下部分或全部内容:

• api
• beta
• blog
• demo
• forum
• forums
• iphone
• mobile
• secure
• svn
• weblog
• welcome
• www

Seriously, you need to ensure any user generated data (not just usernames) are properly escaped before going into the database. This will ensure your users can't pull a SQL injection attack (e.g. the Bobby Tables cartoon linked by Evan Meagher). If your user wants to log in with a username like "Robert'); DROP TABLE", then, cool let them. Just make sure it won't harm your database.

说真的,您需要确保在进入数据库之前正确转义任何用户生成的数据(不仅仅是用户名)。这将确保您的用户无法进行SQL注入攻击(例如由Evan Meagher链接的Bobby Tables卡通)。如果您的用户想要使用“Robert'); DROP TABLE”这样的用户名登录,那么请让他们冷静下来。只要确保它不会损害您的数据库。

Equally, if you display a username anywhere on the site make sure your html special characters are properly encoded to prevent them from injecting <script> tags and javascript into your output (XSS vulnerability). e.g. a user with the username "<script>alert('Hi');</script>" should never see an alert box.

同样,如果您在网站上的任何位置显示用户名,请确保您的html特殊字符已正确编码,以防止他们将

If see no reason why you should disallow usernames that look like SQL Injection or XSS attacks, provided you make absolutely sure the user can do no harm to the system by having one.

如果你没有理由不禁止看起来像SQL注入或XSS攻击的用户名,只要你绝对确保用户不会对系统造成任何伤害。

If you're providing any email services tied to username (e.g. a webmail service), you'll want to make sure users can't register using one of the RFC 2142 reserved email addresses (or that you register them all yourself before launch.

如果您提供与用户名相关的任何电子邮件服务(例如,网络邮件服务),您将需要确保用户无法使用RFC 2142保留的电子邮件地址之一进行注册(或者您在启动之前自行注册这些地址。

Finally, there's a non-technical reason. If the person's username appears anywhere on the site it might be desirable to disallow usernames like "admin", "administrator", "root", "sysadmin", "webmaster", "moderator", as these usernames might be imply some sort of ownership or control of the site to another user. You probably only want the site owners to be able to imply they own the site. This may not be necessary in all situations.

最后,还有一个非技术原因。如果该人的用户名出现在网站的任何地方,则可能需要禁止用户名,如“admin”,“administrator”,“root”,“sysadmin”,“webmaster”,“版主”,因为这些用户名可能意味着某种形式的拥有或控制该网站给另一个用户。您可能只希望网站所有者能够暗示他们拥有该网站。在所有情况下都可能不需要这样做。

It might be worthwhile to disallow any combination of your company's trademarks. Not only does it make sense from a legal standpoint, but it keeps malicious visitors from trying to appear like a member of your organization.

不允许任何贵公司商标的组合可能是值得的。从法律角度来看,它不仅有意义,而且还可以防止恶意访问者像组织成员一样出现。

Consider replacing username with e-mail as nowadays users tend to forget their usernames.

考虑用电子邮件替换用户名,因为现在用户往往会忘记他们的用户名。

If user uses his email password, then you have free access to his email :) But seriously, saving plaintext passwords are not good idea.

如果用户使用他的电子邮件密码,那么您可以免费访问他的电子邮件:)但严重的是,保存明文密码并不是一个好主意。

Depending on what you do with the names, it shouldn't matter. You definitely shouldn't be injecting them into SQL statements, so the harm of database keywords should be minimized. My approach would be to allow pretty much anything, but not trust anything that's entered - use parameters in your SQL statement and/or sanitize the data if you're going to include it in, for example, HTML.

根据您对名称的处理方式,它无关紧要。您绝对不应该将它们注入SQL语句中,因此应尽量减少数据库关键字的危害。我的方法是允许几乎任何东西,但不信任输入的任何内容 - 在SQL语句中使用参数和/或清理数据(如果要将其包含在HTML中)。

Consider reading with this question to get a little more information about SQL Injection Attacks: What is the best way to avoid SQL injection attacks?

考虑阅读此问题以获取有关SQL注入攻击的更多信息:避免SQL注入攻击的最佳方法是什么?

I would have to say that you should allow anything, and if you don't want somebody to have user like Admin, you should create that user initially for your own use. Like others have said, if you're programming the application correctly, there shouldn't be any problem from using things like database keywords. If you aren't programming correctly, (writing code susceptible to sql injecttion) there is nothing that will stop a really creative person from getting around your black list.

我不得不说你应该允许任何东西,如果你不想让某人拥有像管理员这样的用户,你应该最初创建该用户供你自己使用。像其他人所说的那样,如果你正确编写应用程序,那么使用数据库关键字这样的东西应该没有任何问题。如果你没有正确编程,(编写易受sql注入的代码)没有什么可以阻止一个真正有创造力的人绕过你的黑名单。