Usernames as a Security Measure

Usernames as a Security Measure

I was recently a guest alongside my co-author, Michael Bazzell on the Social-Engineer podcast (the episode will be be available tomorrow).  We discussed social engineering for security and privacy reasons.  Since being on the show I have thought more about social engineering than at any time since I attended Chris Hadnagy’s SE course back in 2013. One realization I’ve had is that social engineering attacks commonly begin with a starting point.  An email address to which the attacker can send phishing emails.  A phone number she can use to hack your cell account.  A username she can use to call customer service and request access.  Along this line of thought, it has also occured to me that it is never a bad time to restress the importance of usernames as a security measure.

Passwords get a lot of flak.  The password is broken/the password is dead/kill the password they all say.  I agree that there are serious problems with the password, the chief of which is that people simply don’t use good ones.  Through the history of passwords we have collectively failed to internalize what makes a good password.  Even if you are using excellent passwords, using a predictable username makes you vulnerable.  If your username is easily available or guessable, your account can be found, and the attacker has a place to begin working.  Amazon.com provided an excellent example of this type of breach early this year.  And so it begins with so many attacks.  Customer service reps are trained to resolve issues for customers – not to keep hackers out – so they err on the side of helpfulness.  Soon enough your account has been compromised.

USERNAMES AS A SECURITY MEASURE

Having unique usernames is an excellent defense against this type of attack.  Many online accounts allow you to assign a username of your choosing.  This is ideal.  Let’s assume that an attacker is trying to get into one of my accounts.  He or she will likely begin by testing a username.  If my username is jcarroll he or she will find it relatively quickly.  If it is B7X3333O0H1NAD27U an attacker could search for months with no success.  Additionally, if my username is spilled in a breach, it will not be immediately obvious that “B7X3333O0H1NAD27U” belongs to me.

Unfortunately, many websites will not allow you to use a randomly-generated username.  The typical resistance to this is that you would need multiple email accounts.  Fortunately, many solutions exist to solve this problem  My favorite is Blur.  Blur allows you to generate pseudorandom email addresses.  These are called “masked email addresses”.  Each of these is unique, but all forward to your real email account.  An example of a Blur email address is 3d5edaf3@opayq.com.  Unfortunately the “opayq.com” domain will identify your account as that of a Blur user, but there are thousands of users of this service.

There are some other really cool features and benefits to Blur.  Though by default all emails will forward to a single account, you may add additional “real” email accounts.  This allows you to forward each Blur masked email to a different email account if you wish.  You can also turn off forwarding if you no longer wish to receive email from a particular address.  If you are completely finished with a Blur address you may delete it permanently.  Basic Blur accounts are free.

Like unique passwords, unique usernames also protect your other accounts.  If one account is breached, an attacker will not know any usernames for other accounts.  This model is not impenetrable.  An attacker could still call and, using your name, claim to have forgotten the username.  It is doubtful that you can ever make your accounts totally secure.  However, you can take the time to make them as secure as possible.  Starting with unique, unpredictable usernames as a security measure is an excellent way to do so.

If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.

4 thoughts on “Usernames as a Security Measure”

  1. I started doing this a few months ago. I was using my 33mail alias as my email/username, but noticed a lag in the email forwarding, and was a little worried that 33mail may not be around forever, and some accounts like Dropbox weren’t accepting my 33 mail alias. I remembered that Yahoo allows you to make something like 500 email aliases linked to a single account, so I created a brand new account that I’ll never use except to receive emails about my accounts, and created a unique Yahoo alias for each account. It takes a little more work to create an account when I need one, but totally worth it because it’s backed by a major free email supplier. A bonus is it allows you to send an email from any of your aliases, so any email exchanges with customer service reps happen without any lag.

    The downside is that I’m surrendering some of my personal info to Yahoo.

    Keep up the good work, Justin! Can you provide some deadbolt brands you would feel comfortable using on your home?

    1. Dave,

      Thank you for reading and posting. That is excellent information about Yahoo that I was not aware of, and it sounds like you are pretty well setup. I worry about 33mail, for a couple of reasons. First, 33mail has access to the content of your messages. Next, your custom domain (@____.33mail.com) can create linkage between your accounts because you are the only person using it. Finally, anyone who gets your custom domain can spam you at an unlimited number of email addresses. I think that’s a big benefit to Blur – although you have to login and create new addresses in advance (rather than making them up on the fly) it would be hard to reliably guess them. You can also use them (or 33mail) to forward to Protonmail or some other service that doesn’t use your personal data.

      I will definitely be posting more about deadbolts soon, along with some specific recommendations. I can’t make a promise as to when – I’m super busy right now but it will probably be within the month.

      Thanks again for posting!
      Justin

      1. You had mentioned that 33mail has access to the messages it forwards to your registered email address. Since you recommend Blur, does this mean that Blur does not have access to the contents of the mail that it forwards? As a sub-question to this, you suggest using forwarding emails for many areas like websites you have signed up for because 33mail and Blur are unique, but in the YUSG Windows 7, you have also suggested the five address model. Do you suggest having Blur forward to separate addresses depending on what the purpose of the account is, or do you use one of the accounts directly when signing up for something? For example, if you wanted to sign up for some loyalty card discount, this would almost certainly go to the throwaway account. Would you use a Blur address which forwards to the throwaway account or would you suggest using the throwaway account directly (although this question would apply to any of the five levels you address in YUSG Windows 7)? Perhaps I am over thinking this but I am curious as to suggested ways to use each because I would have assumed to use a forwarding email for anything I could since getting one gives out almost no information about me and it isn’t a real account to really access, but it may depend on what one is signing up for to decide what to do.

        1. Great question(s). First, even with different email accounts, I jealously guard the *actual* email addresses. If the actual address gets out, it means my attack surface on that account just went up significantly. So…I setup a Blur and 33Mail account for each (for most accounts I use the free Blur option). I use the Blur account when I sign up for things online, and the 33mail account when I’m out and about and have to come up with an email address on the fly (I try to use 33Mail sparingly).
          On the other hand, if I am trying to create disinformation, I will setup an account and use the actual address on everything. This builds out the address and makes it look “real” and used.
          Blur: Blur does have access to the contents of your emails since they are routed through Blur servers. I have a bit more trust in them because of some language in the privacy policies of both Blur and 33Mail, but I am still cautious about what I send through both. Truly sensitive information will be sent directly to an email address. ProtonMail’s premium subscriptions offer aliases that don’t route your emails through another, third-party server, just to your ProtonMail inbox. Unfortunately you have to pay for that privilege.
          Thanks for writing in – GREAT questions!
          Justin

Leave a Reply

Your email address will not be published.