3DSC Day 29: Unique Usernames

Today is the final “Account Security Tuesday” in the Thirty-Day Security Challenge!  Today I challenge you to create unique usernames for all your online accounts.  Like changing passwords and adding two-factor authentication, you don’t have to do this all at once.  Do it one account at a time, at normal logins.  Why does this matter as a security measure?  There are several reasons:

  1. If someone is targeting your account, he or she has to know where to begin.  If my account is jcarroll@___.com, an attacker’s job is halfway done.  He or she knows exactly which account to begin brute-forcing.  If, on the other hand, my account is U37CUIB9L1ZV3A@___.com, he or she will have a much harder time finding the correct account to attack.  This is the most important security reason for unique usernames.
  2. If a company’s database is spilled it will not be immediately apparent that any particular account is yours.  For example, if a dating site spills its user database, you probably do not want your true name, or true-name-associated email address to appear on that list.
  3. Usernames can leak information about you.  If my username is jcarroll1975@___.com, it is a pretty safe bet I was born in 1975.  Some individuals go much further, including months and even exact dates of birth.  It would be preferable to choose a username that has absolutely nothing to do with you or any personal information about you.

So what should you use for your unique usernames?  There are several options:

  • Random generation.  This is the best option, but not all sites allow it.  Randomly generated usernames have no tie to you or your personal information.  I recommend using a random username on any account that does allow it.
  • Blur Masked Email Address.  This option is a close second.  If you have to use an email address, use a Blur address.  Emails will still be forwarded to you, but the address will have no apparent connection to you.
  • 33Mail Address.  Of the three listed here this is my least favorite option.  Though it still protects your “real” email account, frequent use of your custom domain creates linkage between accounts.  Used frequently and predictably enough it can also become easy to guess your usernames.  However, these accounts are excellent when you need to set up an account on the fly, like a retail loyalty account (and you can usually change it later).  33Mail accounts are also good when you have to verbally convey a username or email address.  Randomly generated usernames and Blur addresses are much harder to convey verbally.

This is definitely an “advanced” security technique.  Few, including those in the security community, use unique usernames.  However, it will drastically increase the security of your accounts.  Especially when used in tandem with strong, unique passwords, and two-factor authentication.

Leave a Reply