Hi! My name is...
If XKCD’s “Little Bobby Tables” signed up for your website, what would happen? What if someone tried to sign up as a user named ‘administrator’? Usernames may be more complex than you expect! Come learn some of the ways they can be tricky or even dangerous, and how you can protect your sites and your users.
3:05 p.m.–3:35 p.m.
This talk will take a tour through some of the ways usernames (and other identifiers) can be trickier than we expect, or even genuinely dangerous, and will discuss ways you can use Python and its web frameworks to mitigate these risks and protect your sites and your users.
Some of the issues include:
- The difficulty of choosing between different types of unique identifier for users; they all have issues, and get worse when they start being exposed to the world (like in a profile-page URL).
- Ensuring uniqueness is surprisingly difficult! Usernames can have issues with case sensitivity, Unicode normalization, and confusingly similar-looking characters. Email addresses also present uniqueness issues, due to both the complexity of the standards for addresses and the quirks of popular email providers.
- Usernames as attack vectors: like any user-supplied input, they can be vectors for SQL injection and cross-site scripting attacks, but carefully-chosen usernames can also interfere with important services, or enable social engineering attacks.
Real-world examples will be provided for many of these issues, along with tips on specific tools and techniques – including both standard and third-party Django and Python libraries – for protecting against them.
This talk is designed for developers of any level of experience; both novices and veterans will probably learn something new!
Philosopher turned web geek. I like Django, Python 3, and the Oxford comma.