Now that users can freely sign up to JudgeApps, maybe we can add an extra security measure by checking DCI number legality.
AFAIK, the DCI number can be validated using the Luhn algorithm, and have a lengh of 6-10 digits.
While this check adds very little security, it will prevent random people (and bots) from signing up using a random set of digits as a DCI number (they might luck-out, but most attempts will be denied).
I just created a new user with DCI number 2468, which is obviously illegal.
1, 2, 7 and 1234, none of which is a legal DCI number, were unavailable, as there are users with those DCI numbers already.
Those are all legal DCI numbers. The check digit wasn’t introduced until the 8 digit numbers. (And even then it isn’t 100%)
To give some more detail now that I’m not mobile.
Here are the normative references regarding DCI number validation, from Nick Fang and Jordan Baker respectively. They’re both blog posts about other things, so skim through to the parts that talk about DCI numbers. (I remember reading another blog post about canonical DCIs, but I can’t find it anymore, so maybe it was just a conversation with one of those SKs.)
Essentially, back in the Good Old Days, DCI numbers were issued sequentially, I believe starting from 1000. No check digit or anything, you just got assigned a number (and maybe a card) at your first organized event. Some Wizards employees from that time period have low-1000s DCI numbers. Some people have single digit numbers. Those are all still valid.
5, 6, and 7 digit DCI numbers were all issued, all without any check digit.
8 digit numbers were the first to contain a check digit, and it’s calculated based on the last 7 digits on the number. Take those 7 digits, calculate the checksum, compare it to the first digit, and if you have a match, the check digit is correct. 10 digit numbers were extended in the same way. So, most numbers like X0XXXXXXXX or X0X0XXXXXX were extended from shorter numbers.
Anyway, a Wizards account can be associated with more than one DCI number, but each account has only one “canonical” DCI number. The canonical DCI number is the one that shows up when you attempt to enter the user into an instance of WER if they aren’t already in the local players database, and I believe it’s also used when doing DCI lookups (searching for a DCI number by name) in WER and WLTR and when recording someone’s judge activity. So, that canonical number is the one that should be used on JudgeApps, as we need to match that number to verify their judge activity.
However, there’s no guarantee that that number is a 10 digit number with a valid checkdigit. Some people still use their 4-6 digit numbers either because that’s what they remember, or out of a sense of status. Some people have had multiple DCI numbers, which may not have been merged in the way they expect. There has been time that it was even possible to use an 8- or 10- digit number with an incorrect check digit in order to enter an event, and those “invalid” numbers are in WotC’s database, associated with Wizards accounts, and maybe even the canonical number on some accounts. There are certainly many of them in the judge activity export we get from WotC.
So we can’t block all <8 digit DCI numbers, as you seem to be suggesting in your email. We always have validated 8 and 10 digit numbers on registration, which probably helps a bit against spambots, since they are most likely to treat that field as a 10 digit phone number field. This validation causes problems for some of the “special case” users mentioned above, but those users can (and occasionally do) contact account assistance to get help registering, or to change their DCI number after they register.