I agree with you except for the security part.. If the security of a
system depends on how hard the user id is to guess than you have
greater issues. Someone can guess Ids all they want, we have sufficient
security measures to make sure that users see only what they have
explicit access to. Any hacker would be able to figure out the Id from
looking at the code anyway. Like I said, the use of that Id only
happens in 1% of the situations but is useful sometimes.

On 18 Mar 2006 05:11:20 -0800, pb648174 wrote:

>I agree with you except for the security part.. If the security of a
>system depends on how hard the user id is to guess than you have
>greater issues. Someone can guess Ids all they want, we have sufficient
>security measures to make sure that users see only what they have
>explicit access to. Any hacker would be able to figure out the Id from
>looking at the code anyway. Like I said, the use of that Id only
>happens in 1% of the situations but is useful sometimes.

Hi pb648174,

You are of course right that security should not _depend_ on userid's
being hard to guess. But on the other hand - improving security can
often be done by adding extra layers of security on top of each other.
If two setups are both secured exactly the same, with the sole
difference of userids being easy to guess in one setup and hard to guess
in the second, the second will be harder to crack.

Of course, implementing security means weighing the cost versus the
benefit of each extra security layer, not just stacking everything you
can come up with on top of each other - but in the case of sequential or
non-sequential numbering of userids, the cost is almost non-existant, so
even though the benfit is small, it's still worthwile.

Just my € 0.02

--
Hugo Kornelis, SQL Server MVP