Use Complex UserIDs When Passwords Are Too Short 4
Passwords Too Short?
Sometimes websites don’t allow strong passwords. No punctuation, spaces or over 20 characters, so what can we do to increase the security just a little?
Change our login account ID to something long and random. Often, userIDs don’t have to be an email address or your name – they can be anything – perhaps 30 characters long. So, use a long, random userid for those websites that can’t allow long, complex passwords for whatever reason. Combined the userid and password will hopefully be more secure in this way.
What brought this on?
Twice a year or so, I look at the logins for important websites. Banks, brokers … things like that. This time I was shocked to see a very short password for a very important website. That website has always bothered me over the length limit for passwords. Further, it was just alphanumeric – scary. Any password under 15 characters is a joke these days thanks to GPU password cracking techniques, limiting them to letters and numbers reduces the entropy and makes cracking passwords much, much easier.
At this website, the password was limited to 8 characters, but the userid could be 20 characters. Hummmm. Interesting. So, I used the password generator to make a random 20 character userid. Combined with the relatively weak password, I hope this significantly improves the login security for that website.
At least it can’t hurt. Since I use KeePassX to fill in the userid and password, I’ll never have to worry about typing it in anyway.
Just to clarify a little, in the end, you have
Hopefully, the random UserID won’t be emailed and intercepted along the way. In my testing, it doesn’t even show up on any web pages at the shorter-than-I-like-password website. Of course, you’ll want to use a password manager if you do this. Now I don’t know either my password OR my userID for my most critical online financial accounts. I always have to look them up. That’s a bonus to me.
If you don’t use a password manager, this is either the time to start or to be very afraid.
But usernames are usually stored in plaintext, right? Not sure if this will protect you in case of a database breach, unless they hash usernames too.
You are absolutely correct. This is not ideal. If they get the password DB, it is all over.
Once the password DB is pulled to a location where GPU brute force can be applied, but most of the systems that still use 8 character passwords are running mainframe back ends. RACF on MVS or zOS is a formidable security system. Unauthorized access is reported – just attempting to certain view files is considered unauthorized. I know. I’ve had to explain viewing of /sys9/ areas to someone 2 levels above myself and provide a written report about it.
I definitely do not consider EBCIDIC encoding to be part of the security either.
OTOH, if the crackers are blindly trying passwords against common userid and the system isn’t able to lockout accounts based on multiple failed attempts from a source IP, this is better than nothing.
True, if they are just blindly trying passwords, chances are the will never try a truly random username. Better than nothing as you said.
Also, thanks for the links, interesting information.