Usernames Are Not Secrets

A common misconception that I have observed a lot online is the belief that usernames should be secret, unique and hard to guess. While there are some limited cases where having a secret username is a good idea, most of the time it has no real benefit. Usernames are not secrets and should not be treated as such. The only secret that matters for protecting your accounts online is the password (and multi-factor authentication, if you use it).

“Use a unique username…”

I attended a conference recently and saw a fantastic security talk. The speaker had a unique style and used a number of really clever elements to make the talk memorable and approachable. There was, however, one problem that stuck out at me during the talk. The speaker had a side with the text:

Use a unique username

After revealing this slide, the speaker then proceeded to instruct the audience to always use a unique and non-guessable username for their accounts. They explained in depth that admin, sitename, yourname, etc, are all easy to guess usernames and should not be used. Then the speaker, as a throwaway line, said you should also use a unique password stored in a password manager.

This really frustrated me at the time, and has been bothering me ever since. The speaker has it all backwards! Usernames are not secrets and it usually doesn’t matter if someone can figure out your username. The important thing you need to keep a secret is your password. This is the key to unlocking your account.

Your username is like your address

Your username is like your address. If someone knows your address, they can drive up to your house and arrive at your front door. However, if the door is locked, they can’t get in without a key. If someone knows your username, they can view the available information about your account. Depending on the application, this may be a lot of information about you, but it won’t let them into your account. To get into your account, they still need your password.

Also consider that some sites allow you to login with either your username or your email address. This is like your phone number being in the address book. In these cases someone with your phone number can find your address. Likewise, someone with your email address may not even need your username. As such, if your email address isn’t a secret, why would your username be? Both serve the same purpose and require the same level of protection.

Your password is like your house key

If your username is like your address, then your password is like your house key. If someone knows your address they can get to your house, but without the key they can’t get inside. As such, you protect your house keys. You have limited copies, keep one on you any time you go out, and only give one to people you trust. Your password is your key, the secret that protects your account. Your username may be known or identified, but if you’ve kept your password secret, it doesn’t matter.

House locks have different shaped keys, both in terms of the slot it fits into, and the number and shape of the pins. This means there are a huge number of combinations for potential keys. As a result, you can be pretty confident anyone coming to your house isn’t going to have a key that fits your lock perfectly. If there were only a small number of combinations of house keys, a burglar could obtain all of the possible combinations and try each in turn to unlock your door. Likewise, if you use the same key on each house you have keys for (yes I know, it’s stretching it a bit here!), and then leave your keys where the burglar can find them, they can get into all of your houses!

Relating that directly back to passwords, if you use simple passwords (such as password123), an attacker can easily guess it and compromise your account. Likewise, if you reuse passwords across multiple sites, your account could easily be compromised through a credential stuffing attack. You need the same uniqueness and unguessability (if it’s not already a word, it should be!) in your passwords, to protect your accounts from being compromised.

Finding a username in WordPress

For good example of why usernames are not secrets, let’s consider WordPress. It’s very common to hear the advice that you shouldn’t use the default username admin, or other keywords like the domain name. The primary reason for advising to not use admin is because people choose terrible passwords. The theory goes that if someone is going to use a password like password123, then encouraging them to have a username like superLogin123 will keep the login credentials unique. The gaping hole in the theory is how easy it is to work out the username on WordPress.

WordPress leaks all sorts of information by default, information that it doesn’t consider to be secret, such as usernames. With this information already provided by WordPress, all we need to do is compromise the password. To do that, we can use WPScan, a fantastic security testing tool for WordPress. It includes a bunch of useful features, including the ability to identify usernames and conduct a brute-force password attack.

In this attack, it will first identify all of the usernames it can and then work through a known passwords list to identify the passwords in use. With WPScan, it is trivial to gain access to a WordPress site without the username, if the account has a simple password. (I cover this attack in detail in my Think like a Hacker and Secure WordPress talk. I’d recommend you go watch it if you’d like more information.)

Example brute-force attack with WPScan

On my test site, the username is valorin and password is zxcvbnm. WPScan will first figure out the username using a few different methods. Then it will guess the password from the RockYou password database.

The username valorin is identified via:

[i] User(s) Identified:

[+] valorin
 | Found By: Rss Generator (Passive Detection)
 | Confirmed By:
 |  Wp Json Api (Aggressive Detection)
 |   - https://wp2.valorin.dev/wp-json/wp/v2/users/?per_page=100&page=1
 |  Oembed API - Author URL (Aggressive Detection)
 |   - https://wp2.valorin.dev/wp-json/oembed/1.0/embed?url=https://wp2.valorin.dev/&format=json |  Rss Generator (Aggressive Detection)
 |  Author Id Brute Forcing - Author Pattern (Aggressive Detection)
 |  Login Error Messages (Aggressive Detection)

The password zxcvbnm is identified via a brute-force attack:

[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - valorin / zxcvbnm
Trying valorin / diana Time: 00:00:02 <===> (255 / 255) 100.00% Time: 00:00:02

[i] Valid Combinations Found:
 | Username: valorin, Password: zxcvbnm

The end result being both the username and password are successfully discovered by WPScan. Since usernames are not secrets, the problem here is the password. If the user had a unique password, WPScan would not have identified it and the account would be safe.

How to protect your password

The point of generating a unique password is that it can’t be easily guessed. The downside is that this makes it pretty hard to remember too. The solution here isn’t to pick a simpler password, but rather to use a password manger. The purpose of a password manger is to remember your passwords for you. You can then safely create a unique password for each account, store it in the password manger and not need to remember it. Ultimately, the only password you need to remember is the one to your password manger. So yes, you still need to remember a password, but only this one. This makes password security a lot easier.

The password manger I recommend is 1Password. I’ve been using it for years, and it has some great features and works on every platform. You could also use the one built into Chrome or Firefox if you solely use the one browser for everything and want something simple to use.

Once you have your password manger set up, it can generate you a new password for each account you use. This password (which you don’t need to remember) is the secret that protects your account. Your username doesn’t need to be a secret because your password is unique and basically impossible to guess.

The exceptions to the rule?

Now that I’ve spent some time explaining why usernames are not secrets, let’s talk about some of the exceptions to the rule. These exceptions include high-value targets like banks and airlines.

Often these companies have complex legacy systems that impose arbitrary limits on passwords, such as some airlines requiring 4-digit PINs! They force these limits on you because their systems cannot support anything else, and as a result, this has implications for your username. Troy Hunt makes an interesting point in his post “Banks, Arbitrary Password Restrictions and Why They Don’t Matter“:

Next up is the need to know the target’s username. Banks typically use customer registration numbers as opposed to user-chosen usernames or email addresses so there goes the value in credential stuffing lists. That’s not to say there aren’t ways of discovering someone’s banking username, but it’s a significantly higher barrier to entry than the typical “spray and pray” account takeover attempts.

When you’re forced to use a basic password, one that is likely already known and used elsewhere, the username matters too. In these cases both the username and the password contribute to secret that protects your account.

Summary

If you only remember one piece of advice from this post, I hope it will be this: usernames are not secrets. Your username doesn’t need to be unique or hard to guess, that’s the job of your password. Choose a logical username and a unique password – focus on security where it matters.

If we can get away from this myth that usernames should be unique secrets, it will shift the focus back onto unique passwords and keep everything a bit safer and more secure.

Feature photo by Dries Augustyns on Unsplash.