5

Typical computers with modern operating systems require log-on accounts with a user name and a password. Is it dangerous to reveal the user name of the log-on account to the public?

My research: I have found these articles on Information Security Stack Exchange:

Googling typically gets me back to the first two of these articles. These answers show that on a website it may be bad to reveal the username for the website account, because it gives malicious users needed information to try to crack an account. The "hacking" is rendered easier because the bad guy already knows where on the internet to try the passwords to crack the website account.

This question pertains to a computer, not a website. The computer may be "hidden" behind a NAT router and theoretically (hopefully?) not directly accessible from the internet. Even if the user has port-forwarded remote-in software, one would have to know the internet address of the computer or the router, of which there's some 4 billion in the IPv4 space, and astronomically more in IPv6. Knowing where to start poking seems a lot harder.

The background: I help on the Virtualbox forums (forums.virtualbox.org). When folks ask for help with their Virtualbox guests, we usually need a log file from the run of the VB guest where the problem was noticed. These log files contain paths to the files on the host PC that are used by the guest, and these files default to being stored in the user's home path:

  • Windows: C:\Users{username}....
  • Linux: /home/{username}/...

The logs therefore reveal the account user name to anyone who may download the log file. And everyone including non-authenticated visitors, can download log files. Some users obfuscate these path names because they feel that having their user names out on the web is bad.

Are they right? Is revealing the PC account user name bad?

Triplefault
  • 153
  • 1
  • 5
  • I should clarify that there have been problems with Virtualbox when the username of the account or another folder in the file paths has Unicode/UTF-8 characters (not just plain ASCII) or periods. Eventually the developers fix issues, but they crop up. So we tend to insist on unobfuscated logs. And we get a bit of pushback at times from the obfuscators. – Triplefault Aug 30 '19 at 19:15
  • My take-away from the answers: Some folks may worry in a "just-for-security's-sake" fashion that they would prefer to not reveal the PC's username. However, it would be difficult, without other more substantial information, to use just that username to access the PC. And internet-connected PCs are being pen-tested all the time, even without the username being known. So revealing the username of a PC account publicly is not overtly dangerous. And the more common the username is, the less dangerous revealing it gets. – Triplefault Sep 11 '19 at 16:48
  • Thanks everyone for your answers! I chose Vipul Nair's answer as the answer because it concisely answered my question in the beginning. But everyone's answers help me to round out the idea, and see some possible security changes to the forum that may be beneficial. Thanks, all! – Triplefault Sep 11 '19 at 16:51

4 Answers4

3

I guess no. Why? Because if you secure your environment in such way that it can eliminate bruteforce attacks/dictionary attacks or any other attack that is trying to force the login, then exposing usernames won't do anything to it, thereafter you can limit the attempts in your LSP. If you look more into the psych of a possible attack, they can generate strings that are based on your username for example username is am123, they can put ham123 or aM93 in their dict list).

Should i keep my username of roastedbeans.ru secret? Yeah you should because it's not your environment, you do not manage it. Therefore you do not know if it is secure at all.

tungsten
  • 421
  • 1
  • 5
  • 19
  • Thanks, tungsten! Pardon if I ask for a clarification: You mention: "if you secure your environment ... exposing usernames won't do anything to it". Then later: "Should i keep my username ... secret? Yeah". It sounds like you would not allow your PC username to be revealed on a forum, but it wouldn't be a problem if the computer was secured. Is that correct? – Triplefault Aug 30 '19 at 19:05
  • Right, If we talk just about usernames like Jack or Angelina. (because revealing your whole name may result in other things) – tungsten Aug 30 '19 at 19:09
2

Even if the user has port-forwarded remote-in software, one would have to know the internet address of the computer or the router, of which there's some 4 billion in the IPv4 space, and astronomically more in IPv6. Knowing where to start poking seems a lot harder.

In this statement you assume that an attacker is specifically targeting you. This is often not the case, it is more about having an opportunity.

Specific tooling and/or script that are executed from an attacker's machine will scan the internet for common vulnerabilities in order to gain access to any (random) machine.

Sometimes the tools are a lot more simple and only try to guess usernames and passwords by attacking TCP/22 (SSH) for example.

The logs therefore reveal the account user name to anyone who may download the log file.

The thing with log files is that not anyone should be able to download it. Only a select amount of people should be able to access these logs. In case anyone with an account on the system has access to this log file, the file permissions are set too lose (world readable).

In a corporate environment log files should not be stored locally but transmitted to a syslog server. Limited users should have access to this syslog server.

Additionally, auditing the system (the logs should also be written to a syslog server) should log anyone that access these files for trace-ability.

And everyone including non-authenticated visitors, can download log files.

If this is really the case, this is a major design flaw. I would not be too worried about revealing a username (as mentioned above) but rather worry about this. Log files should never be (directly) accessible over the internet, especially unauthenticated users.

Is revealing a PC account user name bad?

In my opinion exposing a username on an operating system is not necessarily a bad thing as long as a strong password policy is in place. This means a minimum of at least twelve characters, using upper and lowercase characters, specials characters and digits. Additionally, this policy should also trigger an action if X amount of failed attempts are made from a specific IP address (e.g. blocking the IP for Y amount of time)

Another more pressing issue I see here is something we call "Internal Path Disclosure" . Exposing internal paths to an attacker could be very useful combined with other type of attacks such as local file inclusions or SQL injections in case of a web application that is also exposed to the internet.

Jeroen
  • 5,813
  • 2
  • 19
  • 26
  • Thanks, @Jeroen! So if I gather correctly, you're saying that exposing a PC account username is not bad in itself, and that computers are getting pen-tested all the time. However, full paths being revealed can help an attacker who has a open attack vector already, and the forum's treatment of logs really needs to be restricted. – Triplefault Aug 31 '19 at 12:28
  • That would indeed my suggestion @Triplefault – Jeroen Aug 31 '19 at 12:33
2

Is revealing a PC account user name bad?

In short NO. Why?

  1. Well for starters your PC username is not information that is unique to you. A lot of people in the world can have the same Windows username.
  2. Since it's not unique to a person like an email address where two people cant have the same email address an attacker can't gain much information or even tell with a certain degree that the username belongs to you and you alone.
  3. Sure, if that username of yours is your name itself the attacker might use that knowledge to further OSINT you but that's just about it.

Googling typically gets me back to the first two of these articles. These answers show that on a website it may be bad to reveal the username for the website account, because it gives malicious users needed information to try to crack an account. The "hacking" is rendered easier because the bad guy already knows where on the internet to try the passwords to crack the website account.

That is because a username in a website is unique and furthermore in a brute force attack two pieces of information are needed. An attacker could (if the website allows) try a combination of passwords since he already knows that the username is valid.

Even if the user has port-forwarded remote-in software, one would have to know the internet address of the computer or the router, of which there's some 4 billion in the IPv4 space, and astronomically more in IPv6. Knowing where to start poking seems a lot harder.

The assumption that you make here is wrong. Never think that by hiding IP address you might be "secure". The concept of defence-in-depth has to be applied here. The internet is being scanned for vulnerabilities as you read this answer.

The logs therefore reveal the account user name to anyone who may download the log file. And everyone including non-authenticated visitors, can download log files. Some users obfuscate these path names because they feel that having their user names out on the web is bad.

In my opinion, there is nothing insecure here, plus you already say half of the people use fake names. There is nothing substantial to gain here for an attacker except maybe a bit of information about the person.

schroeder
  • 125,553
  • 55
  • 289
  • 326
yeah_well
  • 3,744
  • 1
  • 14
  • 31
  • 1
    Thanls, @Vipul! Actually, very few people change the log contents. But I lean towards agreeing that just a username isn't really going to give a bad guy something to go on. We are already being pen-tested constantly, true. The thought on not having the IP address was to go with: "here's this username I know works on one of the billions of devices on the internet, now which one do I try?" Of course if the forum got hacked, maybe the last IP address of a user's log-on could be read, then a direct attack could be started... – Triplefault Sep 03 '19 at 22:58
  • Sorry, what? Re 1 and 2 - your passwords may not be unique across the entire world - it still isn't a good idea to go and display them. Username is a part of your authentication in the same way the 2nd check is an authenticator in 2FA. You wouldn't dream of making it public would you? It may not be a critical problem in this instance - but in general - making usernames easily accessible is making it easier for someone to find the right username/password combination. – Amiga500 Nov 12 '21 at 11:17
  • @Amiga500 usernames are considered public info. You're making a false equivalence. – schroeder Nov 12 '21 at 11:56
  • You may consider them public info. That does not mean its either wise to make them public info or that the general acceptance of them being public info is sensible. Unless your suggesting the sensibilities of general opinion is a good guideline for delivering a secure system? – Amiga500 Nov 12 '21 at 13:28
0

Is it bad? Yes. - but it depends on the specific case.

You should provide as less personal information as possible publicly and you should hide this data.

SCENARIO 1:

The problem starts if that username is used on multiple locations and is unique. Let's say you were on a forum which was breached and username/password got leaked, someone can just search for that username and find your password. If you are using that on other public platforms with the same password as most people there is a potential you could get hacked that way.

SCENARIO 2:

If you work for a company and they have provided your PC username as name.surname, than posting that data on a forum will provide personal information about yourself and let others discover where you work, what you do etc., some people are not comfortable about that.

  • Thanks, @Raimonds! Having both the PC username and password online would be a serious problem. But the logs showing these PC folder paths containing the usernames don't have PC passwords attached. So reading the log won't get a bad guy that essential piece of information. If the forum got breached, getting a password to go with the username might be impossible if the account user didn't use the same password for both forum and the PC. And the forum passwords are probably all hashed & salted anyway. – Triplefault Sep 03 '19 at 22:41
  • Also thinking that if one's account name were their full name, the usability of the name would depend on its commonness. John.Smith, probably useless. Zaphod Beeblebrox, perhaps easier to find. :) My real name happens to be the same as an artist, so one would probably end up hacking him than me. I can see that people might not be comfortable, but is it really dangerous? – Triplefault Sep 03 '19 at 22:46