Whenever a breach of some sort occurs, two things tend to happen. First, the general password warning is given: Change them now, change them regularly, and don’t repeat passwords for anything. Second, people experience angst over password use in general. They often feel that the password has come to the end of its usefulness and we need to move on to other sorts of authentication.
You know what we never talk about when news breaks about a data breach and stolen passwords? Usernames. If we look back at two major password-related breach stories from recent months, it’s obviously something that should be considered. When word went out about the Russian hackers who had stolen a billion passwords, it was also reported that usernames were stolen.
It was the same situation with the Gmail incident of earlier this month. But if we look closely at the way an eSecurity Planet story phrased the incident, we see what the real issue is:
The following day, however, Google published a blog post stating that less than 2 percent of the username and password combinations would have worked for Gmail.
Username and password. Not just password alone.
I think it is time we start focusing just as much on the risk of the username as we do the password. I’ve thought about this topic before, and while I did talk to some who took the idea of using the same username across platforms as a serious security concern, the majority of the security experts I talked to went back to the standard “make sure you use unique passwords everywhere and, even better, use multi-factor authentication.” Today, however, I came across an article in the Des Moines Register that addressed the concern of the username:
“People do not realize that if they do something as benign as posting a comment on a public page with a username like CrazyShaunOrlando, those two pieces of information are enough detail for a criminal to exploit,” said Shaun Murphy, CEO of PrivateGiant, which specializes in online privacy. “Within minutes they can find your home address, how much you purchased your home for, what high school you attended, where your kids go to school — the list goes on.”
This article was targeted to the consumer, but this has to be a concern in the workplace, too. Are your employees using the same usernames for business use as they are for personal? Even if they aren’t, there is likely enough of an overlap – especially with BYOD – that the username overuse puts enterprise data at risk.
Usernames and passwords are separate entities but they do go hand-in-hand. When we talk about figuring out new authentication options like this CSO.com article does, we need to give equal time to the username as we do the password. It’s important to remember that when we just have a username, it is easier than we realize to match that name with a password, simply because users are so lazy about password management.
So it is time to give the username attention and understand the role it plays in network security.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba