If we use strong passwords, what is the point to using strong user IDs?
While creating a login, a website suggested that I create a strong alphanumeric user ID to increase my security. I could see this being helpful to prevent false "forgotten password" claims and the like, however if a user uses strong passwords is this really necessary? What are your thoughts on this?
Comments
-
"A cryptosystem should be secure even if everything about the system, except the key, is public knowledge." — Kerckhoffs' principle
It doesn't really add any meaningful security in most cases. On most websites the security is based on the secrecy of your password — your "key" — not your username. It may slow someone down slightly in some cases, but it is not something that should be relied upon for additional security.
0 -
That was my first thought. Good to know.
0 -
Hi @tatchley,
Although given common attacks, there might be some slight security gain by using an obscure username, I think that the suggestion is not just a violation of Kerckhoffs' principle, but it is contributing to a real problem we have with confusion about what should and shouldn't be secret.
When we take something that isn't designed to be secret (and so isn't handled in ways that secrets are handled) and start using them as secrets we cause troubles for ourselves. Probably the biggest example of this is Social Security Numbers (SSNs) in the US. What I was younger, oh so much younger than today, I put my SSN on my résumé. This wasn't at all uncommon. It was only later, when banking by telephone become a thing, that knowledge of an SSN was used for authentication. So the real problem with SSNs is not that they are stored insecurely and easily leaked. The problem with SSNs is that people try to use them as if they are secret.
The same thing, by the way, is true of credit card numbers. These numbers were never designed to be secret (they are printed on the front of a card that you hand to strangers). Again, it is only once people could place orders by telephone that CCNs started to get treated as secrets. But again, the systems that used them weren't designed to treat them as secrets, so it is little wonder that you can buy credit card details for about one US dollar each. I wrote a bit about all of this in an post about people being remarkably careless with their debit card numbers, and concluded with
Finally, when we observe people systematically behaving insecurely, we have to ask not “how can people be so stupid” but instead “how is the system leading them to behave insecurely.” Maintaining a clear distinction between non-secret identification information and secret authentication information would be one place to start.
So in that light, I'm not particular happy to hear about trying to build security systems that rely on the secrecy of usernames.
Of course, without knowing the full details of what they are doing, I can also talk in general terms. They may have thought things out much more clearly than I imagine. So I don't want to condemn the particular site, I just wish to draw attention to the kinds of things that should be considered with such systems.
Cheers,
-j
–-
Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits
http://agilebits.com0 -
Interesting. To their defense, they are a credit card company so their data is more important than other websites, but you also make a clear point about how this is, in most cases, ill-advised.
0 -
For sites that allow you to set your own login name, is there a security benefit from using a random string of characters for that or is that normally stored in the clear?
0 -
Hey, Nunuv. :) I merged this with the existing thread. Please see above and let us know if you have any further questions.
0 -
Thanks!
0 -
Cheers!
0 -
I guess I am in the camp that says, sure, why not have long and complicated UserIDs, too, even if they are stored in the clear. I have long and strong passwords, but what if someday some bad guy manages to steal one set from me. I’m sure their first step is to assume I am like the 80% (just a guess) of people who use the same UserID and password everywhere. So they would try that combination at every interesting website there is. Of course, it would not work. Then their next step would be to assume that I am like the 95% (just a guess again) of people who use the same UserID, but different passwords. Then they would try my UserID and use a bazillion different passwords trying to break in, sometime over the next x years. Eventually they would find that the stolen UserID did not work after all those password attempts.
For me, when 1Password is working nicely, I don’t need to worry about what my password is. So why should I worry what my UserID is either? Same with the “what is your favorite color” password recover question. I also use two-factor authorization where it is available. Again, why not?
Having all my eggs in the 1Password basket does make me a bit nervous, but I have to keep them somewhere.
0 -
Again, why not?
In some cases it can be a hassle. But if you don't mind the extra legwork, then I agree. Why not? :)
Having all my eggs in the 1Password basket does make me a bit nervous, but I have to keep them somewhere.
There is an old engineering saying: "The right way to build reliable systems is to put all your eggs in one basket, after making sure that you've built a really good basket." 1Password is an AES-encrypted, PBKDF2-strengthened basket.
0 -
Rob, you are hardly alone in asking "why not?"
You should probably go ahead with it, despite the fact that I think there is a reason not to. My particular take on this is hardly the consensus (but I still think I'm right.)
The risk is that if a significant number of people did the same, then there is the very real possibility that people will genuinely start thinking of the knowledge of usernames as real parts of security. I'm afraid that people will start behaving as if usernames were managed like secrets even though many systems do not treat them that way.
The risk isn't actually to you, but to future "generations". If I had a time machine, one of the first things I would do is find the first bank that took knowledge of a social security number as proof of identity (that is, used this non-secret as if it were a secret) and punch them in the nose.
So while I can't really say that it's bad for you to try that, but it's a practice that I definitely do not want to see become widespread.
Cheers,
-j
–-
Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits
http://agilebits.com0 -
Jeffrey,
I certainly respect your knowledge of the Dark Arts, but I guess I am a simple person. I am using unique UserIDs for exactly the opposite reason than you think. I have absolutely no expectation that UserIDs are kept secure on the systems I log into. I imagine there is a stack of reports somewhere with UserIDs written all over them for anyone who works there to view. And some bad guy there can pick up of few of those UserIDs and then see if he can get into Chase, HSBC, PayPal or wherever. Maybe use a little social engineering with the helpful service rep at Chase, who knows.
For those of us on Team-UniqueUserID, I don't have to worry about that. That stolen UserID has absolutely no value anywhere else. For those of you on Team-SameUserID, if someone steals one UserID, they might be able to use that someplace else. Why give them even that chance?
Yes, I spend the extra 30 seconds to generate a password, and stick it into the UserID field. Once it is saved in 1Password, there is no more extra work, ever. I used to use my fairly unique last name as my UserID everywhere. I thought about that later, and decided that was a very bad idea. I am a little annoyed that so many website now use your e-mail address as your UserID.
Just belt and suspenders for me, I guess.0 -
While this has been an excellent discussion of the potential security gains of strong IDs, in my view it is the privacy gains rather than the security gains that make strong user IDs an attractive proposition. Most of the times, I like to remain anonymous on the internet, and using strong user IDs helps protect my privacy and anonymity.
0 -
That is an excellent point, @parekh, but it should be noted that it is often not very hard to "deanonymize" most common forms of anonymity techniques. So people shouldn't assume that just because they registered with a site using a pseudonym and a throw-away email address that they really are anonymous.
0 -
Thanks for the tip! I'd really appreciate it if you could point me towards some further reading on this topic, because I have always been under the impression that a throwaway user id (tied to a throwaway email id) is sufficiently anonymous.
PS: I really enjoyed reading your post about people being remarkably careless with their debit card numbers. I notice that there's a link at the bottom of the post inviting the reader to "join the discussion in our forums", but that link is broken.
0 -
I notice that there's a link at the bottom of the post inviting the reader to "join the discussion in our forums", but that link is broken.
Sorry about that link, @parekh. That was before we switched forums. Here is the thread on this current forum. (Everything was transferred over.) :)
http://discussions.agilebits.com/discussion/10575/see-my-debit-card
0