If hackers can work out people's usernames, they're halfway in. So how can we choose safer options?
Most web applications authenticate users with a username and password. Everyone knows how to choose a strong password, but what about the username? All too often we find a weak username leads to security problems.
You could use the person's email addresses for application usernames, however these will often be known to acquaintances, spammers and hackers. Should you allow the user to define the username or generate one for them? How complex should it be?
One of the more interesting identifiers we've found is the "driver number" on every UK driving licence. Outwardly, it would appear complex and random, made up of 16 alphanumeric characters. This would be way beyond the capability of a brute force attack. However, take a look at en.wikipedia.org/wiki/Driver's_license, which features an explanation of the various codes.
To work out a driver number, we need to know the individual's surname, initials and date of birth. That's really not going to take too long, given public resources such as the register or births, deaths and marriages. Then add social networking sites and Friends Reunited to fill in any gaps. Finally, there are two or three random numbers, which can be brute forced.
What can you do if you know the driver number? Let's say that you want the driving licence of someone whose identity you plan to steal. You can now alter a licence address online, and request a new licence to be sent to a different address. All you need is the driver number, name and current address. Scary!
The new licence will then be dispatched to the new address without the knowledge of the licence holder, who still has their licence in their wallet. Whilst the introduction of photo driving licences was a positive move, the images aren't great quality.
The driver-number format was chosen when the security issues of today were barely a glint in a hacker's eye. Now it looks depressingly weak. We should look at usernames in the same light.
Firstly we must move away from the idea of email addresses as usernames. This can leave applications open to spear phishing email attacks that target known users. Allowing people to define their own username does not mitigate the risk; the vast majority of users will simply choose their full name or surname and initial. The more savvy may have a stronger username, but probably use this on a number of e-commerce sites! While this allows them to easily remember their log-on credentials, it also leaves them wide open to hackers.
The alternative is assigning users their own username at random. This will make the identifier impossible to guess, but it will also make it difficult to remember, increasing the risk of it being written down. And a recorded password is vulnerable to interception. We've lost count of the number of times we have come across usernames and passwords scribbled on a post-it note and stuck to the computer monitor.
There are still some good practices to follow, irrespective of username choice: for example, setting alerts within the application that highlight multiple attempts against sequential or similar usernames, as may be seen with a brute force attack. Similarly, you could monitor the rate of bad usernames - if you are aware that there is a problem, at least you can look into it further.
As with nearly all security-related questions, it will be a case of achieving a compromise between the perceived risk and the sensitivity of the information stored. If we ensure that there is no way to enumerate valid usernames, the potential risks of impersonation should remain relatively slim.
The whole question of identification may seem rather existential. Nietzsche would certainly think so. And in a world where we question the validity of our own existence, he'd be sure to see the irony in trying to prove our existence to others.
- Ken Munro is managing director of SecureTest. He can be contacted at email@example.com.