Creating usernames using Google and Linkedin

[j2mccluggage at adelphia.net (Jody & Jennifer McCluggage)]

Thanks for such a great tool!  It worked without any problems on my system.

 

I still think the best defense against this is a strong password (or
multifactor authentication). In my opinion, it is best to not consider the
username something that is secret or secure (although you don't want to
broadcast them to the world either).  The only way that you could do that
would be to create random usernames which is probably not practicable.  Even
if you don't use one of the standard formats, your fellow employees, former
employees, partners, etc. will all be familiar with the naming convention
that you are using.   You have to emphasize the importance of strong
passwords to your end-users.  It is also good to show users how to create
good passwords since users can still create some pretty weak passwords that
meet common complexity rules!   ("Perfect Passwords" by Mark Burnett is a
great resource to assist with this).  Well that is my opinion for what it is
worth!

 

Also if you are working in a sensitive industry you may want to have a
policy against users advertising who they work for on a social network page!

 

Thanks!

 

Jody

 

 

 

  _____  

From: pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Jason Wood
Sent: Friday, June 12, 2009 2:09 AM
To: PaulDotCom Security Weekly Mailing List
Subject: [Pauldotcom] Creating usernames using Google and Linkedin

 

Hey all,
I was messing with something today and remembered episode 129 had a segment
on using a target company's website to generate passwords.  I tried it out
and with a bit tweaking it worked great.  But I also wanted a username list
that was targeted for the company.  I took a twist on creating passwords and
did some queries on Google such as "site:linkedin.com CompanyName".  In my
case, I found 26 pages of search results containing almost nothing but
people's full names.

I found a python script that pdp at gnucitizen had written to pull google
search results.  I did some hacking on it and came up with a script to
create a list of usernames using the targeted search results.  It creates
the basic variations of first initial, last name and firstname, last
initial.  I'm not a python scripter, so if you have any suggestions on
improvements please let me know.  I've got it dialed down to only take the
first page's results.  You can download it at
http://www.jwnetworkconsulting.com/downloads/usernameGen.txt  

The only real defense I can think of against this is to make sure usernames
at your organization are not based on their names.  I know from experience
that people will absolutely HATE it, but it would work.

Any how, hopefully this is useful to someone else.  

Jason

No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.364 / Virus Database: 270.12.64/2170 - Release Date: 06/11/09
17:59:00

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090612/4ac45a2b/attachment.htm