Tuesday, April 30, 2024

Random usernames generation

When I left the US military, I worked as a contractor for IBM. One thing that I realized was;

  •     my username was a random user
  •     you could not reasonably figure out a person's username based on their givenname
  •     targeting by brute-forcing of one's  passwords is next to impossible

So in the current temperature, a lot of ORGs are deploying an admin account

e.g Ken Felix would have






The problem with the last 2, they resemble my name. A better approach would have a username that could not reasonably derived by knowing the individual "Ken Felix"





Here lays the problem, it would be harder for you to remember these usernames, and for sure the former two.

By using a random username you can easily determine when a brute-force & when you see login-failures such as admin@example.com , sales@example.com or ithelp@example.com

A decade back, I worked with a group from Canada that was looking at a one-time username ( OTU ) . These were short-lived usernames that were crafted for limited access. The ideal was for the system where an engineer would need access to execute maybe a handful of jobs and not need access to said system for maybe 2-10-12 months later. They still had a low-privilege account, but for the sudo/su/admin function, OTU+OTP was generated and once used, destroyed.

Think of the movie series Mission Impossible

This concept was briefly considered but a certificate-based access with revocation was easier to manage.

With certificate based you could have multiple certificate+passphrases for a wide range of systems. These same certificates could be used for browser webUI access. If anyone is compromised, a certificate revocation will be issued. If you wanted to limit the time-for-use, you sign the certificates with a short expiration ( i.e 1week vs 1 year ) 

So keep in mind that username+password is the combination and success for security. If one knows the username, they have part of the account to be cracked.

NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
     ^      ^
=(  @  @ )=

        /  \

No comments:

Post a Comment