Tuesday, April 30, 2024

Random usernames generation

When I left the US military, I worked as a contractor for IBM. One thing that I realized was;

  •     my username was a random user
  •     you could not reasonably figure out a person's username based on their givenname
  •     targeting by brute-forcing of one's  passwords is next to impossible

So in the current temperature, a lot of ORGs are deploying an admin account

e.g Ken Felix would have

   kfelix@example.com

    and

   kfelix.admin@example.com

   or 

   adm.kfelix@example.com


The problem with the last 2, they resemble my name. A better approach would have a username that could not reasonably derived by knowing the individual "Ken Felix"


e.g 

 eng09lk3@example.com

or

 sedawkdaddy@example.com


Here lays the problem, it would be harder for you to remember these usernames, and for sure the former two.

By using a random username you can easily determine when a brute-force & when you see login-failures such as admin@example.com , sales@example.com or ithelp@example.com

A decade back, I worked with a group from Canada that was looking at a one-time username ( OTU ) . These were short-lived usernames that were crafted for limited access. The ideal was for the system where an engineer would need access to execute maybe a handful of jobs and not need access to said system for maybe 2-10-12 months later. They still had a low-privilege account, but for the sudo/su/admin function, OTU+OTP was generated and once used, destroyed.

Think of the movie series Mission Impossible



This concept was briefly considered but a certificate-based access with revocation was easier to manage.

With certificate based you could have multiple certificate+passphrases for a wide range of systems. These same certificates could be used for browser webUI access. If anyone is compromised, a certificate revocation will be issued. If you wanted to limit the time-for-use, you sign the certificates with a short expiration ( i.e 1week vs 1 year ) 

So keep in mind that username+password is the combination and success for security. If one knows the username, they have part of the account to be cracked.




NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=
         o

        /  \





Posted by at No comments:
Subscribe to: Posts (Atom)