NCSAM/2011–Post 11–Your user name is not a secret
It always amuses me when I receive an email where the “From” line reads something like this:
From: mo95213@example.com (Davis McTeague)
Because what this means to me is that some well-meaning security practitioner has decided that giving users random names “adds to the entropy in the password” – meaning that it’s harder to guess the user’s name and their password at the same time, than just guessing the password, because the user name is clear and obvious.
Of course, the email kind of gives it all away.
Lockout policies and the random username
I had one of these usernames at one point in my past career. “us43792”, I think it was. Or “us43972”, or “us42793”. Maybe.
Every Monday morning, I did the same dance, of trying to remember my username. And, because the well-meaning security practitioners had also decided that the “three bad logon requires lockout” policy was a great idea, every Monday, I managed to lock some other user out of his or her account, because instead of getting my password wrong, I’d get my username wrong.
I really felt bad for whoever it was that I was locking out of their account. They probably had a hell of a time every Monday, calling up tech support, and asking to have their account unlocked, and tech support treating them like they were idiots for messing up their password every week.
I suppose I could have simply written down my username, but that was as much against the spirit of the policy on random usernames as it would have been to write down my password. So each Monday, I caused a lockout event to some other person in the company, wasting their time, and that of whoever they called in tech support.
The random username and entropy
While it’s true in some ways that a random username adds entropy (you might think of this as “randomness”) to the whole logon sequence, it’s not lasting entropy, because even when the user changes their password, they aren’t changing their username as well, so that part isn’t getting updated. And as time goes by, a lot of people know the user’s name. Everyone they email, everyone they hand their business card to (which includes every lunch establishment around the neighbourhood), now has that information.
It doesn’t matter any more that the username isn’t predictable, because it’s known by fundamentally everyone.
It’s public information.
The system is working against you
My final point against random usernames is that the whole system – and not just the operating system – is working against you in keeping this entropy secret.
Email messages aren’t the only way in which usernames are exposed. Every time you authenticate to a networked application, although challenge-response techniques allow you to keep your password secure from that application, your username is still passed to that application unaltered. File sharing requests are made using the same sort of technology, meaning that your username is sent there. Many other networking protocols carry the username around, and users themselves have all sorts of outlets for sharing their username, from home directories named after them, to instructions on contacting them through email or messaging.
My username is “alun”
I think that says enough.