Posts Tagged ‘usernames’

A Minor Note on the Myth of admin

Sunday, 12 February 2017

This evening, I was looking at a record of recent failed attempts to log into this 'blog. I found that relatively few attempts tried to do so with the popular username of admin, whereäs by far the majority were with the username oeconomist (that it to say with the second-level domain name). There is not and never has been an account here with username oeconomist; the would-be intruder was guessing mistakenly — but not unreasonably. If my logs are representative, then having an account name match a second-level domain name is less secure than having it be admin. With people avoiding admin, it is natural for crackers to try other likely candidates, including candidates whose probabilities are conditional upon the domain names.

Mind you that the reasoning of my earlier explanation of why the avoidance of admin doesn’t add a discernible amount of security if passcodes are properly selected can be applied to avoiding a username that matches a domain name. An account with a known username and a well-chosen password of m+n characters is more secure than an account with a secret m-character username and an n-character password.

Choose a username that pleases you. Choose a password that is long and that looks like chaos, and make occasional changes to it.

Username Administration[0]

Thursday, 24 March 2016

Those managing 'blogs are frequently told that the administrative account should not have a username of admin nor of administrator.[1] Indeed, 'bots attacking this 'blog try the username admin multiple times every day. None-the-less, I think that concern about easily guessed usernames is quite misplaced.

Ordinary access to an account requires two pieces of identification, the username and a passcode. We can conceptualize these jointly as a single string, the first part of which is practically fixed, the second part of which is changeable. For example, if one had the username admin and the passcode h3Ll0p0p3y3, then the string would be adminh3Ll0p0p3y3 Some might imagine that two strings represent two hoops and therefore more security; but, actually, each character is a hoop. If usernames and passcodes were equally secure, then the username-passcode pairs kelsey5 dO0DL3bug and kelsey 5dO0DL3bug would be perfectly equivalent as far as security were concerned. So we can imagine the two strings concatenated, so long as we remember that one set of its characters are unchangeable, while the others may be changed. In general, the form of the string can be conceptualized as u1u2ump1p2pn where each ui represents an unchangeable username character and each pj represents a changeable passcode character. Now, if we simply know that the administrative account username is admin adminp1p2pn unauthorized access is a matter of guessing the characters of the passcode, without knowing how many they might be. (How passcodes are stored may limit or effectively limit the length of passcodes, but this will typically not have much effect unless those limits are very tight.) On the other hand, if the administrative username is completely unknown, then the string is the apparently more mysterious u1u2ump1p2pn That might seem significantly more secure. However, the number of characters in the passcode is unknown to the opponent, and u1u2umkp1p2pn+k is more secure for all 0 < km,[2] because usernames are unchangeable. (Were usernames as changeable as are passcode, then the two would be equally secure.) And adminp1p2pn+m is more secure than u1u2ump1p2pn

So real security here is to be found in long and strong passcodes, for which secret usernames are poor substitutes, and one can easily compensate for a readily guessed username by having a stronger passcode.

[0 (2016:03/30, 04/09)] I’ve fleshed-out this entry a bit, in an attempt to make in more easily understood.

[1] See, for example, the entry for 23 March at the Wordfence 'blog.

[2] The case k = m represents a zero-length username, which really is to say no username at all. It would be quite possible to create a system with just passcodes and no distinct usernames — or, equivalently, a system with very changeable usernames and no passcodes — though this would present some practical difficulties.

Miscellaneous House-Keeping

Thursday, 31 July 2008
  • The LJ Syndication Journal corresponding to this 'blog only presents public entries. Other entries are placed in a friends-only category, to make them relatively easy to find if you have an account at this 'blog. (There really aren’t many a friends-only entries, though.)
  • If you have an account with this 'blog, but have forgot your username or password, then just let me know. I can easily recover the username or reset the password. And if you’d like your username reset, that would be easy as well.
  • Comments to entries should be made at the 'blog, rather than at the syndication journal; I’m not automatically notified of comments to the syndication journal, and the entries at the syndication journal are erased on a regular basis, along with any comments there.
  • There’s been a poor, lonely poll at the 'blog, which has received answers from only three brave souls. I’ll probably move on to a new question soon.