mb
Feb 15th, 2007

Be Smarter with Account Names

One thing that bothers me about many web sites out there is how I get to (or don’t get to) choose my account name. Sure, many web sites let you have any account name you want, but some web sites just want to use your e-mail address. While this is very convenient for low security sites that you rarely visit, some times it just isn’t appropriate. What do you do, for example, when your e-mail address changes?

When I wrote my book Hacking The Code I came up with some simple account name guidelines for web applications. Although an account name really isn’t a secret, there are many good reasons to prevent others from harvesting account names. Here are the guidelines I came up with:

  • Avoid using e-mail addresses as account names.
  • Don’t use sequential account ID numbers for users.
  • Do not use predictable patterns that would make it easy for others to easily guess account names.
  • Block users from creating reserved account names such as administrator, root, service, support, etc.
  • Do not place user account names in URLs. This exposes account names in caches and web and proxy server logs.
  • Allow users to change their account names, or even have multiple aliases for their account, but put limits on that feature to prevent possible abuse.
  • Establish methods to limit and block automated attempts to create accounts. Saying that an account names is taken lets others build lists of valid account names.
  • Don’t display account names on your web pages if it is not necessary.
  • Avoid public directories of users when it is not necessary

It might not seem like that big of a deal to expose account names, but there are many ways others might use these. One could, for example, harvest some account names from a web site and try those names with common e-mail providers such as hotmail, gmail, etc. An attacker could also use account names as part of a phishing attack. Another attack would be to gather a huge list of account names and trying a single common password on each of those accounts. That type of brute force attack often evades detection.

Account names seem harmless but you really can’t begin to imagine how useful they can be for hackers. I have a huge list of millions of username/password combos. Chances are if I knew just 10 login names to a web site, I could match those to my database to build an extremely effective brute force list.



Trackback URI | Comments RSS

Leave a Reply