Categories
How It Is

Your Username is Not A Secret

Things that aren’t secrets shouldn’t be hidden, since it just wastes your time.

I keep seeing this pop up. “Your CMS is not secure because it makes your username/id public! Once a hacker has that, they can try to break in!” At one point I snapped “Sure, and your house isn’t secure because someone knows your address.”

Secret FilesIt’s one of those logical fallacies that seems vaguely accurate on the surface, but really are just plain wrong. On some level, you’d think that if a hacker doesn’t know your ID, they can’t get in, but the reality is most hackers, the surface level idiots who are trying to break into any site available aren’t checking for your user ID/Name, they’re looking specifically for a vulnerability, like they did with the TimThumb accidental (D)DoS.

In addition, they’re not usually looking for your ID when trying that brute force login attack. The practical difference between someone trying to log in with “admin” and someone trying to log in with “ipstenu” is pretty negligible, since they’re killing my server before they get in anyway.

As I wrote this, I thought what it would be like if there was a mod_security rule that checks if you’re trying to log into a site with the username ‘admin’ and, if so, blocks you from being able to log in. Of course, there are millions of sites with millions of CMS tools, and for some you actually cannot change the admin account name away from admin.

WordPress is not alone in thinking your username isn’t a secret. Drupal also thinks disclosure of usernames/id is not a security risk. In fact, Google doesn’t think your ID is a secret. After all, you can log in to Google’s devices with your email, and everyone whom you’ve ever emailed kinda knows that. “Oh, you emailed me from ipstenu@gmail.com? I’ll attack that!”

Now of course, if you try to log in with that too many times, you lock your IP out. And similarly, if you try to log in to my server via SSH too many times, the same thing happens. Have I ever locked myself out? You bet. Less since I switched to 1Password and SSH keys, but it still is very effective.

Why isn’t this built into the core of most CMSs? Because a CMS like Drupal and WordPress is not as volatile as, say, the healthcare.gov site. The danger that comes from someone getting into my blog is minimal compared to someone getting into my email. But again, everyone knows my email account, so they’ve always got one half to the puzzle right then and there.

Top Secret FilesOne of the other primary reasons this isn’t built in to WordPress is that it’s hard to do right, and in a way that will work on all servers, and in a way that will be easy for someone to undo. I said I locked myself out a couple times, right? I can unlock myself with a device on another IP, or I can call up my webhost and tell them my IP and can they please unlock me. Now flip that to your blog. How do you handle it? Who do you call? Do you make this a ‘solvable by the host only’ problem? Can you envision your host being happy about handling that?

Not that I’m passing the buck here. There are plugins and extensions that do this, but they’re still best used by people who already understand security than by the common man, because the people who know what to do when they have to edit a .htaccess are the ones who probably already know how to pick a secure password, or install two-factor authentication already.

All this comes back to something blindingly obvious though. Everyone is going to know part of your access. The reason we tell people not to use ‘admin’ as a login ID is not because it’s more or less secure, but because it makes it easy for script kiddies to target. Remember, most of the time when you’re being attacked it’s nothing you did personally, it’s just a script running. When it’s someone who has an absolute vendetta against you, your userID is the least of your concerns.

The crux of the matter here is that your username is not a point of authentication, it’s a point of identification. Giving you an identification (I am Ipstenu) is not the same as giving you data that can be used to authentication (my mother’s maiden name is Jones; I was born in Battlesboro, VT; My favorite superhero is the Flash). There’s a reason we call them ‘Secret Questions’ as they’re both identification and authentication. Only I would know these things. And no, that’s not true, which is why secret questions are pretty useless. The more obscure they are (my first maths teacher) the less likely I am to remember them correctly. “His name was Smith… Now did I put in Dr. Smith, Mr. Smith, or Smith? Oh wait, how did he spell Smith? Smythe? Smyth? I know people with all those spellings! Which was he?”

So no. Your user ID is not a secret, nor should it be. I spend no time hiding it.

12 replies on “Your Username is Not A Secret”

If usernames are never revealed to anyone else on the site, technically they can act as a second strong password if you want to be nuts and do that. The only real problem has been default and very common usernames coupled with weak, guessable passwords.

Usernames just need to go away and be replaced with email addresses. Turning authentication over to Twitter, Facebook, Google or Apple makes more and more sense too. They are all providing decent enough identity management and authentication services now that the convenience and security likely outweighs the evil tradeoffs for most people. Google has really improved in this area, and it’s the only one to let you switch between multiple identities and accounts. Finally you can easily switch between a personal Gmail and multiple Google Apps accounts. Here is where your security practices matter — strong passwords plus two-factor authentication for your core email and identity services, all hooked up to your phone.

@Dan Knauss: If your username remains secret.

Sure. But that is a massive assumption that just isn’t true for most of us, and realistically, is impossible to uphold given social media. But we are, all of us, encouraged not to have bland, boring URLs for Facebook or Google or Twitter. We all have lovely IDs because we all want to be identifiable. It’s human nature 🙂

Mind you, I don’t trust Google with my identity at all. Having a single point of trust like that scares the crap out of me. At least if someone cracks into my email, it doesn’t (and for that matter can’t) get them access to my server root account. It would screw up my online bill pay, though, and all my credit cards, but ay least I retain server access and can (easily) reset passwords for my email.

@Ipstenu (Mika Epstein): Yep, I was just speaking theoretically. 🙂 You could have a random username and password, and then you’d use the “i forgot” recovery options for every login. Highly secure, super PITA.

I’d be scared about Google too, but I can’t see how you can get cracked if you’re using 2-factor auth.

That didn’t come out as I meant it — that last comment of mine has been nagging me especially as I’ve been setting up a bunch of new Apple hardware on network devices along with various Linux, Google and Windows stuff. Bonjour kinda sucks, but it’s too damn easy to use CloudPrint and AirPrint, while it’s also hard and confusing (for most people) to set up file and printer sharing without opening things up too much. Once there’s any external, remote web access in, you run the risk of the cylons breaking into your network and local machines. I can see that as an emerging form of burglary — hackers in vans picking your digital locks, installing key loggers, and totally owning you.

But apart from that sort of approach — which is really high investment for the criminal — I have a hard time seeing how your Google ID would get compromised if you’re doing the basics right. I realize hackers will always find a way, but an average person taking sufficient care to secure their identity and financial accounts is unlikely to be the victim of successful cybercrime in the future, in my optimistic opinion. It does seem like it’s getting to be possible to be highly protected from criminals outside of social hacking or physical capture of your devices — although that too is not so hard to defend against — if you’re prepared and quick to respond. If you have stuff to hide from the government, that’s a whole ‘nother problem.

@Dan: Well the problem there is the average person has no idea how to get the “basics” right.

To them, the basics are this: I have a password and I log in using it.

The moment you say “For security, you need a second program on your phone that has a random number you need to enter” or “Okay, now we’ll text you so you can log in” and … No. Just no. it’s too inconvenient for them, and honestly it’s too complicated.

I wish it wasn’t, but we’ve not yet made these things easily grepable by the average person.

You think we’re a long way from common users setting up 2-factor authentication and tying their key accounts to a phone? It’s getting easier and easier to do that, so I’m hopeful.

Yeah I realized I was thinking middle class folks in “developed nations.” Looking at it through the lens of economic position, I recall reading that extremely wealthy people are generally much more security conscious and very, very self-limiting in what they do online. On the other extreme we have the stereotype of scammers from “under-developed” nations, but actually people in poor countries may be most vulnerable online. Maybe in/security will end up strongly correlated to socioeconomic class with poorer people getting the short end of the stick as usual, especially in countries where cheap cell phones are a critical means of money transfer or nobody has the means to fight identity theft. I can imagine digital security becoming a kind of social justice issue in some contexts. In a thoroughly networked world, inequality is likely to follow its same patterns it always has. Sorry, just running with the idea.

@Dan Knauss: There’s also the moderately wealthy people, which is to say the middle class/upper class masses of the US who can afford a smart phone, but when their facebook doesn’t work, they call their kids for help.

That’s the group I’m sure won’t bother with 2FA not because it’s too complicated (which .. it is for a lot of them) but because it’s too much of a hassle.

The brunt of my day is spent talking to people who find resetting a WP password to be the height of complexity. I’ve taught a group of grandmothers (who were not techy) and I am my family’s tech support.

It’s easy for ME. It’s not easy for them. They’ll just not use a service if it’s to hard, which cuts them out of a lot of things.

Hello,

I found your blog and have interesting content!

As for this article, it is true what the other companions say, nothing is certain, to post false or data and a random password, do not mean it is 100% Secure.

To me once hacked wordpress account and youtube is not so far as they did but they did. I was very surprised that point. I guess with some program to hack actually have to see!

As I do not trust google to swim in, just for the simple fact that it has provided information to the government of the United States. Without authorization from us users, so now I have more care of my personal data on the Internet.

Greetings and good subject you touched!

I have a standard response to these sort of things sent to me:

This is not considered a security issue, because the username is not considered to be “private” information. Hiding it doesn’t add any real security. As far as brute-force attacks go, if you use a suitably strong password, then the attackers knowledge of the username doesn’t really matter.

Consider what would be the case if the username was considered private and strong attempts were made to hide it. In that case, we’d essentially be treating it as an extra password. Assuming the user
already has a strong password, then now the username is simply an additional bit of information that can be considered as an “add-on” to that password, so the total password strength is now their existing
strong password plus the hidden username.

The problem with this sort of thinking is that, generally speaking, people are trained to pick strong passwords (hopefully), but not to pick strong usernames. So treating it as a password means that it is particularly weak as a password, which makes it not helpful in terms of strength. It is better to teach people to pick stronger passwords instead, that way the username is irrelevant.

Also consider that the “username” is kind of dead as an identifier nowadays anyway. Look at Facebook and Google, for example. They don’t even have usernames, they simply use your email address as the account identifier. Finding out somebody’s email address tends to be pretty easy (you just told me your email address, after all, by emailing me), so are these services insecure because there is no username to begin with?

Keeping the username semi-public at least teaches people that it’s not meant to be hidden, and that they should rely on strong passwords for security. Ideally, we’d slowly phase out username altogether and just use email addresses for logins. At least people usually remember those. 🙂

Otto and Ipstenu, I believe you two just put the whole matter in a nutshell.

@Ipstenu (Mika Epstein): I tend to work as well as live around that middle class group of “Help! Facebook stopped receiving updates on my phone.” -individuals—beginning with my mother!

@Otto: Totally agreeing with you, I think it’s pretty absurd to try and teach people that usernames should be treated like a password, just as you have mentioned, with increasing adoptions of the ‘login via e-mail’ practice.

Comments are closed.