Usernames: The New Password

Published by Torry Crass on

One thing has remained consistent over the past several years with respect to passwords: insecurity. Statistically, they're liable to be guessed, stolen, or cracked, sometimes with shocking speed. The advent of what could be termed as digital cryptographic dictionaries like rainbow tables and other tools, like hashcat, have made passwords less secure than ever before.

This isn't new information, people have been reporting on this for a while now, even publishing comic strips on it like the XKCD version below.


Credit: http://imgs.xkcd.com/comics/password_strength.png

While there was some debate over the accuracy of the comic, the basic premise still holds true, passwords aren't as secure as they once were. Now, you could say, their security hasn't changed, this is true, but the tools and methods of attacking passwords have changed making it easier to compromise their security. For example, Trustwave, a security company specializing in SIEM software, published a document on business passwords that states: "We recovered more than half of the passwords within just the first few minutes. We eventually cracked 576,533 or almost 92 percent of the sample within a period of 31 days." (Credithttps://gsr.trustwave.com/topics/business-password-analysis/2014-business-password-analysis/)

One method to help take a bite, albeit small, out of these nasty statistics is to use a "pass phrase" instead of a password. This involves choosing a group of words or phrase such as "ThisIsMyBestPassword" or "RockBlueTreeCable8675309" which keeps the password easy enough for a person to remember but long enough to still be a challenge for most password cracking utilities that would use bruteforce as an attack. Trustwave also looked at the time it would take to crack passwords of different complexity with results stating: "If for the purposes of this estimate we assume the attacker knows the length of the passwords and the types of characters used, “N^a&$1nG” could be cracked in approximately 3.75 days using one AMD R290X GPU. In contrast, an attacker would need 17.74 years to crack “GoodLuckGuessingThisPassword” using the same GPU.(Credithttps://gsr.trustwave.com/topics/business-password-analysis/2014-business-password-analysis/)

The passphrase method provides a wat to add a little more security for passwords. However, even this is still vulnerable, one possible attack against this is to create a dictionary attack to combine words; especially if you know how many words are used in this type of password creation. In general, it can be assumed that most people will use more than two words in their password, since everyone wants to get above that falsely magical 8 character password, and quite a few two word combos won't do that. That takes us up to three words. However, most passwords that I've seen using this scheme are 4 words in length and, while I don't have research on it, based on my experience, I would say this is a good start.

With a little digging around we can find some interesting language statistics. "We have seen that the Oxford English Dictionary contains 171,476 words in current use, whereas a vocabulary of just 3000 words provides coverage for around 95% of common texts. If you do the math, that's 1.75% of the total number of words in use!" (Credit: http://www.lingholic.com/how-many-words-do-i-need-to-know-the-955-rule-in-language-learning-part-2/) This gives us the following rough math; for a passphrase that contains four separate words using the 95% as target, that would mean, 81,000,000,000,000 combinations. However, because we used the 95% rule across 4 word sets, our expected success rate is going to go down a little. With an average single GPU cracker we can assume ~7000 attempts a second (this will vary with hardware and algorithm being cracked, some are in the millions per second).

So, if you do a little info-babble-translation and say 4 words is really a password length of 4, since you're using whole words, with a character set of 3000. The math works out to roughly 132 days for the whole sh'bang (Credithttp://calc.opensecurityresearch.com/). That might seem like a lot of time, but remember, this was for a single average GPU. With optimization the time would go down significantly and it is relatively inexpensive to chain an extra GPU in which will bring the crack time below the typical 90-day password change threshold.

Another attack that I thought I would briefly mention is rainbow tables which pre-calculates the password hashes so they can be looked up in a database. This can result in passwords being cracked in a matter of seconds. Rainbow tables have some specific caveats such as not being effective against salted passwords. This is because salts make the password hash unique. The hashes can still be pre-calculated if the attacker knows the salt, but this generally isn't an accepted method of attack since it's often going to take longer to generate new rainbow tables than is actually of value, especially since that table would only be valid with the specific salt. But I'd like to move on with the point so that's where we'll leave this.

One final important note: Some newer encryption methods (not widely used) are much more resilient to speed based brute force attacks like this. Variations like this can make differences in thousands of hash calculations per second. Because of this and since it's still one of the most common algorithms used today MD5 is assumed for the purpose of this article.

So what's this have to do with usernames you ask? Exactly my point. We're focusing on continued pass[word|phrase] complexity and only taking into account one factor related to authentication.

An equally important, and often overlooked, portion to authentication is the username. This little gem, in most instances, occupies 50% of the accounts authentication needs (one exception to this are accounts where two-factor authentication is enabled). So, if you consider this, getting the correct username takes an attacker from 0% to 50% closer to account access. They're half way there! Maybe…

For this premise to matter we have to consider the following:

  • How often are usernames part of an authentication process?
  • How easy is it to obtain or guess usernames?

On the first question, I don't believe there are any hard statistics or research to support this, however, given the demonstrated prevalence, I think it can be reasonably assumed that over 99% of all accounts contain at least a username and password combination.

For the second question, again this turned out to be extremely difficult to find specific research on. Because of this, I set up a survey in order to attempt to extrapolate information about the prevalence of usernames and how they are composed. This doesn't provide a truly research grade sample because of the limited responses received, but it's a start.

First, based on my experience (having several hundred of my own accounts across the internet), it can be assumed with good accuracy that usernames will often take one of the formats below and, even more importantly, the more sensitive the account, the more likely it is to have a direct association to the user.

Common Username Formats:
FirstNameLastName – This is fairly common to see with system logons where the username is a variation of first and last names, possibly with numbers appended.
FirstInitialLastName – Another extremely common example is first initial last name, again, with the chance of numbers being appended.
E-mail Address – The e-mail address or domain address is fairly common for network logons and internet services.
InternetHandle​ – A users made up name that they often use for internet services, this could be (much like a password) a pet, a nickname, a favor thing, etc.
Account ID – This is often seen for various accounts but not nearly as prevalent as the others.
(inject a period between parts or, sometimes, vary case or similar things that can be easily deduced if the attack is targeted)

Now, onto the questions and results of the survey…

Question: When the vendor sets up your account, what are the typical formats you see used for the username?

combination of initial(s) and or first and last name.

53.13%
internet handle, nickname(s).

21.88%
social security or other identification such as address and zip.

3.13%
e-mail address.

62.50%
account number.

12.50%
randomized alpha-numeric username.

12.50%
Other (please specify)

0.00%

*Note: The results add up to more than 100% because respondents could choose more than 1 option.

As you can see from the results, usernames are constructed using what I would consider typical account structures an extreme majority of the time. Now, the next question.

 

Question: When creating an account, typically, do you have the ability to specify a username or are they generally assigned by the vendor?

Yes, mostly they are assigned by the vendor.

3.13%
No, I typically have the choice to set my own username name.

65.63%
I've never thought about it and don't have an answer.

6.25%
It's really about 50/50. I have had both.

25.00%

Based on these responses, we can extrapolate that most accounts can be set by the user. Okay, now to the next question, let's find out when the user has the ability to choose their account name, how they go about it.

 

Question: When you have the ability to create your own username what formats do you typically use?

combination of initial(s) and or first and last name.
46.88%
internet handle, nickname(s).
43.75%
social security or other identification such as address and zip.
0.00%
e-mail address.
43.75%
account number.
0.00%
randomized alpha-numeric username.
3.13%
Other (please specify)

3.13%

This is an extremely telling result. The responses show us that users almost always choose to use formats that align with previously considered common constructions. Possible reasons for this may be because users are looking to keep this simple and easy to remember and it is also possible that the username is not considered to provide a true security function on an account. The next question helps us answer this further.

 

Question: If you had the ability to use a randomized username (ex: Efsu!df4), would you?

Yes. I would, or, I already do.

0.00%
Maybe…

28.13%
No, that's too hard to remember.
68.75%
No, I don't see the value in it.
3.13%

And that answers one of the last questions. Based on these results, a high majority believe that a randomized account name is too hard to remember. Even more clear is the result that 0% of responses indicated that they do or would certainly use such an account format. The next question had to do with the importance of account security to the respondent.

 

Question: To you, how important is username and password security?

Not Important Neutral Extremely Important
0.00%
0.00%
9.38%
37.50%
53.13%

As you can see, just over 90% of respondents consider username and password security to be important to extremely important. But still, would not willingly use a randomized username. Now, I wanted to make sure that I was gathering results from a variety of backgrounds, the next several questions are intended to validate that desire.

 

Question: As far as you know, have you ever had an account compromised?

Yes.

40.63%
No.

59.38%

Question: How much instruction have you had on account security?

I've had work provided guidance only.

34.38%
I've read articles and/or other material on how to make account secure.

43.75%
I do research on the topic.

12.50%
I have never had any guidance on this, other than maybe what has been shown on the evening news.

9.38%

Question: Please select your age range.

18-24

6.25%
25-34

43.75%
35-44

15.63%
45+

34.38%

Question: What is your field of employment?

I work in information technology.

15.63%
I work in information security.

6.25%
I work in an office setting.

25.00%
I work in the service industry, such as hotels and restaurants.

3.13%
I work in a manual labor job such as factory work, construction or other industrial positions.

6.25%
Other (please specify)

43.75%

The results of the survey indicate that, as suspected, account names are based heavily on easily identifiable information such as e-mail address, combinations of first and last name components, and sometimes other account or sensitive information. In converse, they are almost never randomized. Based on the results, this is also not likely to change anytime soon with the reasons being that users feel that such a change would make account information too hard to remember.

This means that it is, and likely to continue to be, easy to identify account names through simple assumption, Google searches, social media, and other means that, for an attacker, could be considered trivial.  As previously stated, this means an attacker is going to be almost half way to logging into an account from the beginning.

A possible solution to this, where supportable, would be to change account naming conventions to use randomized alpha, alpha-numeric, or more even complex structures. By implementing this change, it would exponentially increase the difficulty of breaking into an account since an attacker would then have to successfully guess, or brute force, the randomized account name as well as the password.

One argument against this, again as the survey shows, is that this would make logging into the account impractical for the account holder as well. The details of this argument are beyond the scope of this article. However, it is reasonable to assume that computer users are opening, and needing to remember, more and more accounts across the internet and as a result, remembering all account logins is going to become increasingly difficult as a natural progression of internet usage. Currently, the best solution to cover this, as well as allow for the increased account name complexity, is to use a secure, encrypted, account management solution such as LastPass or other offline solutions. These allow for secure account name and password storage with ease of access, and even multi-factor authentication in some cases.

So, get your account management software and start making your accounts safer or, at least make it so attackers cuss more when trying to break into your accounts. =)


0 Comments

Leave a Reply