Why We Should Recognize Usernames as a Security Risk

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itbusinessedge.com/blogs/data-security/why-we-should-recognize-usernames-as-a-security-risk.html

Whenever a breach of some sort occurs, two things tend to happen. First,
the general password warning is given: Change them now, change them
regularly, and don’t repeat passwords for anything. Second, people
experience angst over password use in general. They often feel that the
password has come to the end of its usefulness and we need to move on to
other sorts of authentication.

You know what we never talk about when news breaks about a data breach and
stolen passwords? Usernames. If we look back at two major password-related
breach stories from recent months, it’s obviously something that should be
considered. When word went out about the Russian hackers who had stolen a
billion passwords, it was also reported that usernames were stolen.

It was the same situation with the Gmail incident of earlier this month.
But if we look closely at the way an eSecurity Planet story phrased the
incident, we see what the real issue is:

The following day, however, Google published a blog post stating that less
than 2 percent of the username and password combinations would have worked
for Gmail.

Username and password. Not just password alone.

I think it is time we start focusing just as much on the risk of the
username as we do the password. I’ve thought about this topic before, and
while I did talk to some who took the idea of using the same username
across platforms as a serious security concern, the majority of the
security experts I talked to went back to the standard “make sure you use
unique passwords everywhere and, even better, use multi-factor
authentication.” Today, however, I came across an article in the Des Moines
Register that addressed the concern of the username:

“People do not realize that if they do something as benign as posting a
comment on a public page with a username like CrazyShaunOrlando, those two
pieces of information are enough detail for a criminal to exploit,” said
Shaun Murphy, CEO of PrivateGiant, which specializes in online privacy.
“Within minutes they can find your home address, how much you purchased
your home for, what high school you attended, where your kids go to school
— the list goes on.”

Login Security

This article was targeted to the consumer, but this has to be a concern in
the workplace, too. Are your employees using the same usernames for
business use as they are for personal? Even if they aren’t, there is likely
enough of an overlap – especially with BYOD – that the username overuse
puts enterprise data at risk.

Usernames and passwords are separate entities but they do go hand-in-hand.
When we talk about figuring out new authentication options like this
CSO.com article does, we need to give equal time to the username as we do
the password. It’s important to remember that when we just have a username,
it is easier than we realize to match that name with a password, simply
because users are so lazy about password management.

So it is time to give the username attention and understand the role it
plays in network security.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!