{"id":8197,"date":"2016-03-24T22:19:31","date_gmt":"2016-03-25T06:19:31","guid":{"rendered":"http:\/\/www.oeconomist.com\/blogs\/daniel\/?p=8197"},"modified":"2020-11-15T22:24:54","modified_gmt":"2020-11-16T06:24:54","slug":"username-administration","status":"publish","type":"post","link":"https:\/\/www.oeconomist.com\/blogs\/daniel\/?p=8197","title":{"rendered":"Username Administration<span style=\"vertical-align: top ; font-size: smaller ;\">[0]<\/span>"},"content":{"rendered":"<p>Those managing &#39;blogs are frequently told that the administrative account should not have a username of <q>admin<\/q> nor of <span style=\"white-space: nowrap ;\"><q>administrator<\/q>.<span style=\"vertical-align: top ; font-size: smaller ;\">&#91;1&#93;<\/span><\/span>  Indeed, &#39;bots attacking <em>this<\/em> &#39;blog try the username <q>admin<\/q> multiple times every day.  None-the-less, I think that concern about easily guessed usernames is quite misplaced.<\/p> <p>Ordinary access to an account requires two pieces of identification, the username and a passcode.  We can conceptualize these jointly as a single string, the first part of which is practically fixed, the second part of which is changeable.  For example, if one had the username <q>admin<\/q> and the passcode <q>h3Ll0p0p3y3<\/q>, then the string would be <span style=\"display: block ; margin-top: 0.5em ; margin-bottom: 0.5em ; text-align: center ;\"><code>adminh3Ll0p0p3y3<\/code><\/span> Some might imagine that <em>two<\/em> strings represent two <em>hoops<\/em> and therefore more security; but, actually, each <em>character<\/em> is a hoop.  If usernames and passcodes were equally secure, then the username-passcode pairs <span style=\"display: block ; margin-top: 0.5em ; margin-bottom: 0.5em ; text-align: center ;\"><code>kelsey5&nbsp;dO0DL3bug<\/code><\/span> and <span style=\"display: block ; margin-top: 0.5em ; margin-bottom: 0.5em ; text-align: center ;\"><code>kelsey&nbsp;5dO0DL3bug<\/code><\/span> would be <em>perfectly equivalent<\/em> as far as security were concerned. So we can imagine the two strings concatenated, so long as we remember that one set of its characters are unchangeable, while the others may be changed.  In general, the form of the string can be conceptualized as <span style=\"display: block ; margin-top: 0.5em ; margin-bottom: 0.5em ; text-align: center ;\"><var style=\"font-variant: small-caps ;\">u<\/var><sub>1<\/sub><var style=\"font-variant: small-caps ;\">u<\/var><sub>2<\/sub>&#8230;<var style=\"font-variant: small-caps ;\">u<\/var><sub><var>m<\/var><\/sub><var style=\"font-variant: small-caps ;\">p<\/var><sub>1<\/sub><var style=\"font-variant: small-caps ;\">p<\/var><sub>2<\/sub>&#8230;<var style=\"font-variant: small-caps ;\">p<\/var><sub><var>n<\/var><\/sub><\/span> where each <q><var style=\"font-variant: small-caps ;\">u<\/var><sub><var>i<\/var><\/sub><\/q> represents an unchangeable username character and each <q><var style=\"font-variant: small-caps ;\">p<\/var><sub><var>j<\/var><\/sub><\/q> represents a changeable passcode character. Now, if we simply <em>know<\/em> that the administrative account username is <q>admin<\/q> <span style=\"display: block ; margin-top: 0.5em ; margin-bottom: 0.5em ; text-align: center ;\"><code>admin<\/code><var style=\"font-variant: small-caps ;\">p<\/var><sub>1<\/sub><var style=\"font-variant: small-caps ;\">p<\/var><sub>2<\/sub>&#8230;<var style=\"font-variant: small-caps ;\">p<\/var><sub><var>n<\/var><\/sub><\/span> unauthorized access is a matter of guessing the characters of the passcode, without knowing how many they might be. (How passcodes are stored may limit or effectively limit the length of passcodes, but this will typically not have much effect unless those limits are <em>very<\/em> tight.)  On the other hand, if the administrative username is completely unknown, then the string is the apparently more mysterious <span style=\"display: block ; margin-top: 0.5em ; margin-bottom: 0.5em ; text-align: center ;\"><var style=\"font-variant: small-caps ;\">u<\/var><sub>1<\/sub><var style=\"font-variant: small-caps ;\">u<\/var><sub>2<\/sub>&#8230;<var style=\"font-variant: small-caps ;\">u<\/var><sub><var>m<\/var><\/sub><var style=\"font-variant: small-caps ;\">p<\/var><sub>1<\/sub><var style=\"font-variant: small-caps ;\">p<\/var><sub>2<\/sub>&#8230;<var style=\"font-variant: small-caps ;\">p<\/var><sub><var>n<\/var><\/sub><\/span> That might seem significantly more secure.  However, the number of characters in the passcode is unknown to the opponent, and <span style=\"display: block ; margin-top: 0.5em ; margin-bottom: 0.5em ; text-align: center ;\"><var style=\"font-variant: small-caps ;\">u<\/var><sub>1<\/sub><var style=\"font-variant: small-caps ;\">u<\/var><sub>2<\/sub>&#8230;<var style=\"font-variant: small-caps ;\">u<\/var><sub><var>m<\/var>-<var>k<\/var><\/sub><var style=\"font-variant: small-caps ;\">p<\/var><sub>1<\/sub><var style=\"font-variant: small-caps ;\">p<\/var><sub>2<\/sub>&#8230;<var style=\"font-variant: small-caps ;\">p<\/var><sub><var>n<\/var>+<var>k<\/var><\/sub><\/span> is more secure for all 0 &lt; <var>k<\/var> &le; <span style=\"white-space: nowrap ;\"><var>m<\/var>,<span style=\"vertical-align: top ; font-size: smaller ;\">&#91;2&#93;<\/span><\/span> because usernames are <em>unchangeable<\/em>. (Were usernames as changeable as are passcode, then the two would be equally secure.) And <span style=\"display: block ; margin-top: 0.5em ; margin-bottom: 0.5em ; text-align: center ;\"><code>admin<\/code><var style=\"font-variant: small-caps ;\">p<\/var><sub>1<\/sub><var style=\"font-variant: small-caps ;\">p<\/var><sub>2<\/sub>&#8230;<var style=\"font-variant: small-caps ;\">p<\/var><sub><var>n<\/var>+<var>m<\/var><\/sub><\/span> is more secure than <span style=\"display: block ; margin-top: 0.5em ; margin-bottom: 0.5em ; text-align: center ;\"><var style=\"font-variant: small-caps ;\">u<\/var><sub>1<\/sub><var style=\"font-variant: small-caps ;\">u<\/var><sub>2<\/sub>&#8230;<var style=\"font-variant: small-caps ;\">u<\/var><sub><var>m<\/var><\/sub><var style=\"font-variant: small-caps ;\">p<\/var><sub>1<\/sub><var style=\"font-variant: small-caps ;\">p<\/var><sub>2<\/sub>&#8230;<var style=\"font-variant: small-caps ;\">p<\/var><sub><var>n<\/var><\/sub><\/span><\/p> <p>So real security here is to be found in long and strong passcodes, for which <em>secret usernames are poor substitutes<\/em>, and one can easily compensate for a readily guessed username by having a stronger passcode.<\/p> <hr width=\"50%\" align=\"left\" \/> <p><span style=\"vertical-align: top ; font-size: smaller ;\">&#91;0 (2016:03\/30, 04\/09)&#93;<\/span> I've fleshed-out this entry a bit, in an attempt to make in more easily understood.<\/p> <p><span style=\"vertical-align: top ; font-size: smaller ;\">&#91;1&#93;<\/span> See, for example, <a href=\"https:\/\/www.wordfence.com\/blog\/2016\/03\/attackers-gain-access-wordpress-sites\/\">the entry for 23 March at the Wordfence &#39;blog<\/a>.<\/p> <p><span style=\"vertical-align: top ; font-size: smaller ;\">&#91;2&#93;<\/span> The case <var>k<\/var> = <var>m<\/var> represents a zero-length username, which really is to say no username at all.  It would be quite possible to create a system with just passcodes and no distinct usernames &mdash; or, equivalently, a system with very changeable usernames and no passcodes &mdash; though this would present some practical difficulties.<\/p>","protected":false},"excerpt":{"rendered":"Those managing &#39;blogs are frequently told that the administrative account should not have a username of admin nor of administrator.&#91;1&#93; Indeed, &#39;bots attacking this &#39;blog try the username admin multiple times every day. None-the-less, I think that concern about easily guessed usernames is quite misplaced. Ordinary access to an account requires two pieces of identification, [&hellip;]","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_bbp_topic_count":0,"_bbp_reply_count":0,"_bbp_total_topic_count":0,"_bbp_total_reply_count":0,"_bbp_voice_count":0,"_bbp_anonymous_reply_count":0,"_bbp_topic_count_hidden":0,"_bbp_reply_count_hidden":0,"_bbp_forum_subforum_count":0,"footnotes":""},"categories":[6,69,4],"tags":[1078,1080,325,744,1396,327],"class_list":["post-8197","post","type-post","status-publish","format-standard","hentry","category-commentary","category-information-technology","category-public","tag-cracking","tag-hacking","tag-passwords","tag-security","tag-user-identification","tag-usernames"],"_links":{"self":[{"href":"https:\/\/www.oeconomist.com\/blogs\/daniel\/index.php?rest_route=\/wp\/v2\/posts\/8197","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.oeconomist.com\/blogs\/daniel\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.oeconomist.com\/blogs\/daniel\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.oeconomist.com\/blogs\/daniel\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.oeconomist.com\/blogs\/daniel\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8197"}],"version-history":[{"count":2,"href":"https:\/\/www.oeconomist.com\/blogs\/daniel\/index.php?rest_route=\/wp\/v2\/posts\/8197\/revisions"}],"predecessor-version":[{"id":11496,"href":"https:\/\/www.oeconomist.com\/blogs\/daniel\/index.php?rest_route=\/wp\/v2\/posts\/8197\/revisions\/11496"}],"wp:attachment":[{"href":"https:\/\/www.oeconomist.com\/blogs\/daniel\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8197"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.oeconomist.com\/blogs\/daniel\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8197"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.oeconomist.com\/blogs\/daniel\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8197"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}