<p>While trying to log on today, for the first time in weeks, I noticed that my account was locked–it gave me a message along the lines of “You have logged in unsuccessfully with the wrong password for more than 10 times, your account is now locked. Please contact technical support to unlock it”</p>
<p>After going through a myriad of pages to submit a help ticket to the CommonApp, I decided to do a little experimenting. </p>
<p>I made a bunch of random accounts, and then proceeded to simply put in fake passwords for their logins until they were all locked:</p>
<p>Now, as you may see where this is getting to, if ANYONE knows your account name or your account name is simply your first name (i.e. Albert, John), they can potentially put your account on total lockdown. In my case, my account name was simply too common (Last name) All they would have to do is just spam random passwords to lock down each account, and you would have to go through a hassle to unlock it. </p>
<p>It’d be awfully useful is the CommonApp removed this “safety feature”–I have a feeling it’ll be exploited pretty soon. (Imagine someone locking your account ON DEADLINE DAY.) </p>
<p>So the moral of this story? DON’T pick your first/last name for a username (usually its common sense, but for the CommonApp system, security and usernames seem trivial) and
DON’T make your username predictable.</p>
<p>College application systems have an annoying tendency to fail at security. (The UC application requires you to have a password with between six and eight characters, ***). Like evertheoptimist said, just make sure people don’t know and can’t find out your username.</p>
<p>It is standard practice to lock accounts after some number of failed login attempts. Think about the possibilities if the Common App didn’t lock your account after 10 failed attempts and allowed someone to keep guessing until they picked your password. I’d rather have my account locked than my personal information stolen.</p>
<p>Usually people make their passwords something personal, though. There’s a really, really small chance of people figuring out my password, and I think locking the account just based on username, even when the person inputs the correct password later, is ridiculous. There must be countless people who just put their first names or first and last names into their usernames, this could turn out to be a big problem.</p>
<p>Also, “not picking predictable usernames” is common sense, but what if your username is already in a database? I.e your username is the same as yours in a forum, or collegeconfidential? If there were any ■■■■■■ (and trust me, there are) on either this or any other forum, you bet that those usernames aren’t safe.</p>
<p>That is pretty standard practice on websites. If you want to ensure that it doesn’t screw up your submission, try submitting your application before the deadline. It’s highly unlikely that somebody would be spamming wrong passwords 24/7 for months.</p>