31

Is having a longer/more complex username considered more secure than using a shorter/basic one? Would the uniqueness of a username positively impact security?

This is assuming that adversaries aren't aware of what the username may be, eg. a remote terminal login.

user389823
  • 625
  • 6
  • 11
  • Don't some attacks involve using a password you expect many users to have and bruteforcing the username instead? – Casey Mar 24 '16 at 14:27
  • 1
    Similar question with [answers here](https://security.stackexchange.com/questions/66364/what-is-the-point-in-having-arbitrary-username-requirements/). – PwdRsch Mar 24 '16 at 15:45
  • 1
    Not sure if this is relevant, but if you use different usernames for different systems, eg bank@mydomain.com, and amazon@mydomain.com - then it makes it easier to trace which credentials have been compromised (or email details sold). I think this adds to security but I don't think it's quite what you were asking. – Daniel James Bryars Mar 26 '16 at 11:51
  • 1
    This is sort-of related to [a question I asked a while ago](http://security.stackexchange.com/questions/66364); my question was about systems designers forcing users to abide by certain username requirements. The answers there give some insight into the username length issue. – Chris Cirefice Mar 26 '16 at 22:50
  • Because usernames are not typically kept secret, software dealing with usernames do not treat them as information that is sensitive. OpenSSH for example _still_ has a bug that allows someone to enumerate usernames if the SSH server has the Blowfish cipher enabled, due to a timing attack. – forest Feb 07 '18 at 07:00

7 Answers7

70

A harder to guess username adds to the security if it's kept secret.

The problems are

  1. Usernames are often not kept especially secret. On most systems allowing multiple users to log in, any user can view the list of valid users. On systems that run mailservers, the mailserver can effectively be used to check if a username might be valid as most mailservers will accept mail for any local user. Various programs may include your username by default in outgoing traffic when they connect to servers. New user signup forms or password recovery forms may allow an attacker to check if a username is taken.

  2. Usernames are often harder to change than passwords.

So when adding additional complexity to your login credentials, it's best to get into the habit of putting that extra complexity in the password rather than the username.

Peter Green
  • 4,968
  • 1
  • 22
  • 26
  • 11
    This answer is terrific for that second point. – dotancohen Mar 24 '16 at 07:50
  • 2
    Usernames, by definition, are not secret (who's the owner of this file?). A complex username will slightly reduce security because it increases complexity and the chance of making an error. – mpez0 Mar 24 '16 at 14:25
  • 4
    It's a shame that usernames are not kept secret, especially for those sites that lock you out if you fail to correct password after x tries. For example, your bank account can be locked out from people trying to access it 3 times. This would be much less likely to happen if the usernames themselves were kept secret. – spacetyper Mar 24 '16 at 15:44
  • My work email address is monty.harder@..., but the corresponding username on the domain is something very different, which does not include any part of my name at all. Someone already on our corporate network could fairly easily get my username, but from outside the network, no way to do that. This is part of a deliberate design to protect even the usernames from being disclosed to a potential attacker. – Monty Harder Mar 24 '16 at 16:04
  • @spacetyper I'd argue exactly the opposite. Makine BOTH the username and password is un-necessary, and adds little or no security and makes it much more difficult for users to access a site. The trouble is that many people around here think security is the only thing that matters. Security is always a balance between providing a service and the risks of the service being compromised. If you want pure security, don't provide the service in the first place! – Steve Sether Mar 24 '16 at 17:35
  • 1
    @mpez0 Not necessarily. On my WordPress blog, for example, my login username is different from my "author username" (the name displayed on my posts). I consider the login name to be a secret, and a security feature: I have a security plugin set up to email me whenever anyone logs in by that name, and also to report failed logins by name. If I ever saw anyone but myself trying to use my login name, even if it were unsuccessful, I would be concerned, as it's not something easily guessable by either knowing me casually or reading my posts. – Mason Wheeler Mar 24 '16 at 20:51
  • The username can be guessed - sometimes when I want to create an account I get an error "This user name already exists". Some websites even have a button in a registration form to verify that the currently entered user name is not used (or it is checked automatically when the user name is entered) and a warning is displayed if it is used. I think this makes the user name non-secret. – Marian Spanik Mar 27 '16 at 10:16
33

No. A username is not supposed to be kept secret and thusly won't be. A username is a public ID. Relying on it for security is not smart.

d1str0
  • 2,348
  • 14
  • 24
  • 7
    This answer is right **assuming** that the password is chosen weakly and the username is the only security mechanism. Consider this scenario: I'm using KeePass to store passwords. What would happen if I **ALSO** randomly generate a random&long username (which I don't really care about)? Does this increase the security even a little? And the answer to this is that you *surely* do not reduce the security. Depending on the system it may *add* some security (if it isn't completely trivil to discover the usernames of the system) or be completely useless (e.g. list of usernames is public). – Bakuriu Mar 24 '16 at 10:08
  • 5
    This is why using e.g. an SSN, which identifies U.S. citizens, as a password, is a terrible idea. –  Mar 24 '16 at 15:18
  • I agree with do not rely on it, but changing usernames to be something like m453627 adds obscurity and makes things harder to an individual to know whether he has an ID that matches a sysadmin user, finance user, or any other persons name that can be easily googled. If a person is going to hack into a system and has a randomized username like above, it makes it more time-consuming figuring out what account he is dealing with, what permissions he has, and where on the network he can access. – IT_User Mar 25 '16 at 17:00
  • johnSmith from some Website is a lot easier to google to figure out his job and role in the company than m453632 is. For public webpages such as StachExchange it probably doesn't add much in security, but for corporations locked down, this can be a pretty nice security enhancement. – IT_User Mar 25 '16 at 17:03
4

It has a little positive impact, but you can not rely on it. And this little impact doesn't worth for having a complex username. Systems are not designed to keep usernames secret, so keeping it secret will be too hard.

It's about obscurity not security.

ferit
  • 469
  • 3
  • 13
  • 1
    A complex username may encourage users to use a password manager, rather than using weak credentials that can be memorized. – user1751825 Mar 24 '16 at 02:46
  • 3
    Equally speculative is that it would trigger users to revert to unsafe methods of storing username with password. – techraf Mar 24 '16 at 03:06
  • 1
    @user1751825 Why would a complex username make them want to use a password manager (other than to remember the complex username)? In either case, if they think "_the username is complex_" I would think many will conclude "_so it doesn't matter if the password is simple_". – TripeHound Mar 24 '16 at 15:37
  • @user1751825 What? – ferit Mar 24 '16 at 17:25
  • 1
    @user1751825 a complex username would encourage the users to write down their usernames. Probably together with the password. On a post-it note. And, chances are, this note is probably going to be glued to the monitor of said user. – T. Sar Mar 24 '16 at 17:54
1

Yes, increasing the complexity of a username will improve security overall. It's the combination of username and password that matters from a security point of view, so anything you do to make that combination more difficult to guess, will help.

Some services will give affirmative feedback for a correctly guessed username, even if the password then fails. Having a confirmed username is one extra bit of information a hacker should not have.

user1751825
  • 915
  • 4
  • 10
  • Downvoted? This is a perfectly reasonable and acceptable answer. Companies are starting to move away from basic usernames to more obscure options in order to add another layer of protection (even if small). New users in major corporations are no longer having usernames that easily identify to an individual (ex username ="m3569918") to add an additional layer of protection. This makes it that much harder for someone to get user information, look into the username and see who's account they have to get an idea of what part of a network they will be on with what permissions – IT_User Mar 25 '16 at 16:53
  • 1
    +1 from me. Although I would have stated that increasing complexity by making username have no meaning to particular user ( ex. m453627 instead of someUserName) provides obscurity and increases overall security of a network. – IT_User Mar 25 '16 at 16:55
1

Yes, there is a significant addition to the security in the case you describe. In fact, many system disable logins for accounts with well-known names, like root or guest exactly for this reason: the attacker will have to acquire a valid username before starting the actual attack.

Of course, there are other reasons to disable root login in particular, but a predictable username is part of the problem.

Dmitry Grigoryev
  • 10,122
  • 1
  • 26
  • 56
1

Just like all Security through Obscurity techniques, this would add some security but is not reliable security.

If doing this has no additional costs and does not impact the bizness, it is a nice little addition that could cost some time to attackers but that will not reliably prevent anything.

An analogy would be to build a house in the middle of a desert - it is hard to find. But you still want the house to be protected.

niilzon
  • 1,609
  • 2
  • 11
  • 17
1

There is one point I find useful not mentioned by other answers so far. Keeping your usernames random and different between different sites makes it harder for an outsider to connect your activities between various sites. Instead of googling for your username, someone wanting to track your activities will have to use other means, like tracking IP addresses you use, to correlate your activities between different sites that have public usernames—making, let say, harassment, more difficult.

liori
  • 161
  • 4