What’s in a name?

Here is something quite interesting. Nobody ever considers the user names. They are just sort of “given”. Well, are they? Most of the time, they are not. They are assumed and designed into the system one way or another. And they can have an impact on security.

An old saying goes that a secure Windows computer is the one that is switched off, locked in a safe and dumped into the ocean. That goes for any other system and still leaves a tiny chance of a deep water diver break-in. We cannot make a computer system impenetrable. What we can do is make it harder for an attacker. One of the ways to make it just that bit harder is to choose good user names.

What’s a good user name? What is a user name? What is a user id? What is user identification? What on Earth is the difference? Hold it there, it’ll be all right in a minute.

I promise I will try to be as unscientific about it as possible.

Let’s start by making a distinction between what you think of as your user name and what the system thinks of as your user identification. In a normal traditional system design those are different things. And in security conservatism is a good trait.

Historically, the users were identified with numbers, account numbers. Still, in most systems internally the users are identified with account references, usually numbers. We will call these “user id”. Originally, users used the account numbers, the user ids, to log in to the system. Nowadays they usually don’t. Typically users use some kind of aliases to log in, those being user names, e-mail addresses and so on. We will call these “user names”.

Functionally, only one property is important for both the user id and the user name. They must be unique within the boundaries of the system. This is quite normal, no? The system must be able to distinguish between users, so the ids must be unique. The log in procedure must refer the user name to a single user id, so the user name must also be unique. Simple.

What are the security requirements to the user ids and user names?

The user names have to be unpredictable to help fighting the brute force attacks. We know very well that the most popular password is “password”. If an attacker knows the user names on the system, he can try all of them with the password “password” and he may get lucky. Another important issue is the lockout of users, also known as a denial-of-service attack. If the system locks users out after three unsuccessful attempts and the user names are known, an attacker can go through all user names and perform those three attempts, locking everyone out of the system. So unpredictable user names make an attacker’s life difficult. Mind you, unpredictable user names, not necessarily random user names.

We must distinguish between two very different cases now.

In one case the user base is automatically versatile and the user names selected for some semi-obscure reason are sufficiently diverse. For example, you have a website where people register with their email addresses from all over the world. Those are hard to predict. They are not random but making an exhaustive search for user names is technically hard. So you are lucky and you can leave things as they are.

On the other side, if your user base is fairly uniform, selecting something else as an identifier would work better. Suppose you run a company and all registered users belong to your company. If you select email address as an identifier, the attacker’s life suddenly becomes much easier. Get the list of people and there you go, you know all user identifiers. In this case letting users select their own identifiers, for example, would work much better. Do not be tempted into assigning the employee numbers, that are usually sequential, as user names. Letting people come up with aliases, nicknames is a really good idea then.

Let’s come back to the user ids now. For the user ids, unpredictability also matters. Suppose that there are methods in your application that take user id as a parameter to perform some operations, perhaps, viewing the user record. Then knowing the user id makes it easy to view user records and finding information about users and the system. And don’t count too much on your access control, it may fail some time and the only thing that will stand between your users and the attacker will be the unpredictability of those numbers. Remember, that’s what went wrong at Citibank. And, really, you have nothing to lose – the computer does not particularly care what kind of numbers it is crunching.

So, what’s a good strategy for the user ids? There is only one: the user ids must be random. They do not really need to be generated from cryptographically strong random numbers but they must be sufficiently random as to be unpredictable for an external observer a.k.a. the attacker. Oh, and UUIDs are not unpredictable, just in case you were wondering.

What’s a good strategy for user names? They must be unpredictable. Either they are already because you have a diverse user base and all you have to do is to force no additional scheme on them. Or your user base is uniform and then you must come up with a scheme to introduce unpredictability, the easiest being to use nicknames.

And that’s it for names, I think. Wasn’t that easy? ;)

For an extra bit of fun: Default Admin Username and Password list. May be useful, you know.