40

The answers to this question, and the associated xkcd got me wondering: if I use different account names in every service, then can I use the same hard-to-crack password in each?

I'm thinking that cross-site password hacking, a-la-xkcd, is done by a machine, not a person. So it's easy to have usernames/emails that are site dependent (for example, all email addressed to @gregories.net comes to me, so I can have bank-account@gregories.net as the email for my bank). That's a lot easier to remember than a bunch of secure passwords, but if the bank gets hacked, bank-account@gregories.net is not going to work anywhere else.

What's the problem with this?

Community
  • 1
GreenAsJade
  • 1,021
  • 1
  • 9
  • 10
  • 6
    Along those same lines I use a different mail alias for each site I register at... I register at abc.com, the alias I set up is abc.com@mydomain.com; I register at xyz.com, I set up xyz.com@mydomain.com. If the site is hacked I can remove the alias, I also have the benefit of easily seeing which sites "share" info to others... if I receive mail via xyz.com@mydomain.com but it came from somewhereelse.com... can then use that info for handling mail. To your question though, I agree with @Craig. – user1801810 Jun 08 '15 at 14:44
  • Yes, it is doing this exact thing that led me to wonder if I need to bother with different passwords as well, at least for sites where the email address is the username. I initially started doing it for spam evasion: being able to detect which site leaked the email address. – GreenAsJade Jun 08 '15 at 22:15
  • @user1801810 That's brilliant, I'm going to start doing that. (I've been using "standard+domain@mydomain.tld" where I can, but so many dodgy regex's reject the `+`..) – OJFord Jun 09 '15 at 23:12
  • Please, just use a password database/manager. Everyone should use it to maintain unique passwords for all of their accounts. I used to use KeePass for a long time and it worked well, but when I also got a Mac, I had trouble keeping my databases synced because KeePass is Windows only, so I switched to 1Password which is available for both, and it works well. – 40XUserNotFound Jun 10 '15 at 00:25

8 Answers8

59

Big data analysis means that your different usernames probably aren't as disassociated from one another as you think they are. In other words, they are likely all identifiable as yours.

But perhaps the bigger issue is that if your password is compromised in one attack, then it becomes part of a password database the attackers can use against other password databases. Regardless of your usernames, they'll still (potentially) compromise your other accounts just by virtue of already having your common password in their database.

More recent attack vectors use heuristic techniques more, and things like rainbow tables less, but still consider that if a heuristic approach has broken your password (and the lessons learned have been fed back into the password cracking algorithms), then it's going to break the same password everywhere you've used it.

You're still better off using unique passwords for each service, IMO.

Craig Tullis
  • 1,473
  • 10
  • 13
15

if I use different account names in every service, then can I use the same hard-to-crack password in each?

If the account names can be associated with the same person (i.e. different forums, same style of writing, similar content etc) then it does not matter if the names are different. And, contrary to the plain text or the hashed password the usernames are often displayed to other users.

I'm thinking that cross-site password hacking, a-la-xkcd, is done by a machine, not a person.

This depends on the goals of the attacker. If the goal is to compromise as much accounts as possible then you might be right. If the goal is to steal the identity of a specific person then it does not matter much if this person uses different user names as long these can be associated with the same person.

Steffen Ullrich
  • 190,458
  • 29
  • 381
  • 434
  • I doubt a person could be so good to the point to link an account to someone based on style of writing, similar content and things like this... – Freedo Jun 08 '15 at 05:45
  • @Freedom: maybe not the style of writing alone, but together with the topics, expressed opinions, kind of arguing etc I'm sure a correlation is possible. And even if you are not 100% sure you can at least severely limit the search space using these techniques, which is the useful for effective password hacking. – Steffen Ullrich Jun 08 '15 at 06:04
  • 4
    @Freedom who said a person is doing the analysis? There most certainly are computer algorithms that can identify authorship, and they'll only improve. – Craig Tullis Jun 08 '15 at 06:50
  • 2
    Some usernames are associated with public actions, but others are not. If Fred Jones is an Acme Bank customer, the fact that he is a customer may not be a secret that's guarded as closely as his login credentials or account details, but it generally won't be exactly public either. Using separate user names for the two types of services may be a good idea, though separation beyond that may provide less benefit. – supercat Jun 08 '15 at 15:52
  • @Freedom A person with software to do stylometric analysis certainly can be. There's research to demonstrate it. See: http://www.cs.berkeley.edu/~dawnsong/papers/2012%20On%20the%20Feasibility%20of%20Internet-Scale%20Author%20Identification.pdf (PDF link) – Xander Jun 12 '15 at 17:26
2

You really shouldn't. The reason why? Once a password common to several accounts is cracked, getting access is just a case of finding them. Since account names are relatively public, they are less well-protected than password data. A bit of innocuous research work would then give someone access to most or all of your online activity.

Grizzled
  • 247
  • 1
  • 4
  • I dunno - I'd be curious about some substantiation that it's easy to find the account that matches a password? I guess if it were "personal", it'd make sense, but it seems like a long shot to think that hacking is looking for other accounts that match this password they found... – GreenAsJade Jun 08 '15 at 13:14
  • 2
    @GreenAsJade Are you using completely unrelated email addresses on completely different machines on different networks, taking care to never log into the wrong account or ever cross-reference any account/event/post/etc.? Then sure, if you ignore Steffen's point about dictionaries then it's just as hard to hack your accounts as it would be if they had different secure passwords. But it's far more work. – Matthew Read Jun 08 '15 at 14:04
  • 1
    @GreenAsJade What the good Mr. Read said - plus other telltales such as the use of Gravatar, writing style, your interests (is this the *only* computer-related forum that you post in?), et cetera. Or simple theft of your computer, although that's generally Game Over in security terms no matter what. – Grizzled Jun 08 '15 at 16:00
  • When the passwords are stolen, it's fair to assume that lots of other handy information is also stolen. That means they've got your postcode/zipcode, preferred language, your date-of-birth, the last four digits of your CC number, or whatever other miscellaneous stuff the web-site has stored up. That would be enough to join your online shopping accounts, once more than one is cracked. – SusanW Sep 26 '16 at 16:51
1

Most common folks dont care and arent as paranoid as us about this kind of thing so they usually use the same password(or variations of it), in most services whether those are their bank accounts, email, game username, forum username, (etc you name it) and the same applies for usernames(relating to your question). This makes the general population of our planet, that has access to internet easy targets for hackers, companeis and even their own family/friends, since once you discover one password or username you can try variations of it in their other services and chaces are that you will be able to find a match.

Now going back to your question of: Is “different usernames” as good as “different passwords ?

I believe so. In this age where privacy is becoming harder and harder to get as big corporations such as google and microsoft find better ways and improve their technology to use their advertsingbots to track all our activities and throw us Ads related to our activities, the best thing we can do is make it harder for them to track us down. I believe this also applies for security purposes, if you use the same username in several websites it makes it easier for a hacker or anyone to track you down and have a full picture of all your activities on internet, most people think this is not a bad thing but it is. Also Add to the fact that this kind of phyloshopy of putitng the same username also makes it easier for your friends, family, relativies colleagues discover all that you do in the internet by the simple fact that you werent careful enough to use different usernames. Which might lead to annoying/embarassing situations depending,since those people in your real life know where they can find you in the virtual world.

For example a hacker can discover your password in X service that you use. He might try to also check if your password is the same in the Y service, since you use the same username in both, even if the passwords are different he might have already collected enough information about your tastes, desires and your other password to try similar matches. In order to not have to go through this burden the best thing you can do is use different usenrames, passwords and if possible different emails or alias to make it harder for them.

BrotherJoe
  • 73
  • 5
  • 5
    This answer assumes it's difficult to attribute different usernames to one 'real' person. This is **not** true. Usually, commonly used IP adresses are stored with an account (the same across all accounts!), as well as the e-mail adress in plaintext, which all share `@gregories.net`. This scheme is a form of [safety through obscurity](http://en.wikipedia.org/wiki/Security_through_obscurity), and should **not** be used. – Sanchises Jun 08 '15 at 07:56
  • 1
    Hmm, I wonder if "common folk" is just a strange kind of humor or a manifestation of your hybris. – phresnel Jun 08 '15 at 08:48
  • @sanchises ... commonality of IP address is the most persuasive argument I've heard so far... – GreenAsJade Jun 08 '15 at 13:15
  • 4
    @GreenAsJade Regardless of *how* you link the usernames to each other (IP addresses being an extremely easy one), it's **always** easier to do some detective work than breaking good encryption (assuming no zero-day exploits). – Sanchises Jun 08 '15 at 13:46
1

The simplest way that this could be broken is probably thus:

  1. One of your accounts has their password broken for some reason (we can take this as read, as if that never happens then just using the same user/pass everywhere would be fine too, so this is our starting point).
  2. Your hard-to-guess password gets put into a password dictionary.
  3. Your (not generally considered secret, and rarely as a vital secret) username gets tried with the password dictionary, that has your password in it.

That's a lot easier to remember than a bunch of secure passwords

And yet still harder to remember than not trying to remember passwords. Still, eventually you might find yourself having to bend your naming convention for usernames to fit different services' policies, so you're going to need to use a secure password store to keep track of them. In which case, why would you keep using the same password?

Jon Hanna
  • 279
  • 1
  • 5
1

The question here is always "what is your threat model?" It is meaningless to ask such questions without a proper context given by a threat model. Most of the time a different username is not as secure as a different password. Other times, such as spy vs. spy situations or duress situations, a different username can absolutely be effective.

In nearly all cases (at least 99%, if not more), you will find a different username is less secure than a different password because traditional security approaches assume a username is not a secret while the password is a secret. This means anyone storing, displaying or using your credentials will likely fail to sufficiently protect the information that matters.

As a specific counterexample to your claim, consider the case where an attacker has compromised a server, so they have access to the database of username/password pairs of several sites. Let's say all of them played by what are considered "good" security rules: the passwords are salted and hashed, so no plaintext passwords are available. However, usernames are available in plain text (this is very typical, because there is no reason to hash data that is not a secret). Now, consider a compromise of one of those servers that gives your full credentials, username/password:

  • If you have different passwords for each server, the attacker can determine that you have accounts on the other servers, but because the passwords are still salted and hashed, they gain very little towards attacking the other servers.
  • If you have different usernames for each server, the attacker simply scans down the list of users, hashing your known password with the correct salt for each user until he finds a match. He then looks to the username column, and has your "secret" username. With no more than a few minutes worth of work, he has access to both accounts.

As a note: there are tools which will assist with attacks like this even if you just make simple permutations of your passwords to keep them "unique." We as humans are not very unpredictable - we may feel we are clever shifting our fingers one spot to the right when typing a password, but many password cracking suites already include that simple shift as one of the things they test for.

Cort Ammon
  • 9,216
  • 3
  • 26
  • 26
0

It's easy to overestimate how interested hackers are in figuring out how 2 usernames fit. If someone really wants to, they can figure it out, but most hackers don't really care about that. To them usernames are just 1 part of a 2 part identity confirmation form, and the only reason they would care about that is if it can bring them money. Obviously, a bank would be a prime target for such a thing, something like Paypal or an e-bank. If someone can get your bank username, and your password, they can steal your money.

Because of that, having multiple usernames to choose from is a bonus. Even if they can figure out your regular username and password, if you use another username and password for your bank, they need to start from scratch. NOTE that you should still use another password, but if your username on the other sites you are using is sufficiently different from your bank username, an attacker is unlikely to make a connection between the 2.

Different usernames is just a minor hurdle to defend against targeted attacks, but it won't defend you against an attacker that just wants to compromise as many accounts as they possibly can.

Nzall
  • 7,373
  • 6
  • 30
  • 45
0

It is very common for a site to ask for email address instead of username, that can cause problem for you, and if you are using different email that can be hard to manage.

From security point of view it is a good idea , and it can confuse those hackers who know you on social networking or any other public site and try to use your same username on bank or paypal sites,

this is part of one way hackers get username or at least what they think is going to be username.

when it comes to encryption - password are always encrypted while storing them. Username may not be encrypted or are visible on screen, so it is possible for them to hack it easily then password , for password they will need decryption algorithm even if they have hacked the data.

In anyway if you are changing one of the value and both are encrypted it is at same level for the hacker and both the fields will be at same difficulty for him to track down.

friendy
  • 1
  • 1
  • FWIW, I use different emails all the time - not for security, but for spam avoidance. It's not at all hard to manage - they all arrive eventually in the same inbox. – GreenAsJade Jun 10 '15 at 12:51
  • It would be more correct to say "passwords are *sometimes* encrypted while storing them". I've lost count of the systems I've seen where the passwords were not encrypted. And - we don't strictly really mean encrypted here, do we? - we're really talking about hashing, which if done well, is not reversible: there IS no decryption algorithm other than brute force. – SusanW Sep 26 '16 at 16:44