[wp-hackers] Author URLs expose usernames

Thu Jul 19 12:09:14 UTC 2012

On 19/07/12 08:52, Andrew Spratley wrote:
> I agree with Otto on this. Hiding usernames on the front end isn't
> going to get you much more real security. As has been demonstrated
> before, security by obscurity doesn't work long term. Usernames were
> never engineered to be hidden. Having strong passwords and mitigating
> brute force attacks is going to pay off for you in the long term.

I agree that the security of an individual account isn't much affected 
by the username of that account being public, but that's not what I'm 
talking about. I'm talking about the security of a whole (private) site, 
across all its accounts. And, from that perspective, this approach is 
really wrong.

Say you're trying to break into a site with 1000 users. With that number 
of users, it is a virtual certainty that at least 1 or 2 accounts will 
have very weak passwords (like "password" or "letmein"). Because it's a 
private site and any account gets you in, you don't care which account 
you break. You only need one.

Say you've guessed a few usernames based on publicly available 
information, like known accounts on other sites. You might have 20 
accounts to try. You try them, but you're looking for 1 or 2 sites out 
of 1000. And they weren't within this 20.

Now say the site lets you enumerate all user accounts. I'm sure you can 
guess the rest. With all the usernames, you'll definitely find the weak 
ones. And with that number of accounts, there'll definitely be weak ones 
to find.

I'm not saying that stopping username enumeration is going to completely 
solve the problem of weak passwords. Of course, it won't. And it's far 
from the only thing we do to protect sites -- in fact, after several 
years of operating, we're only just getting around to this one. Because 
we've had the simple, most effective things in place for ages (like 
detection and blocking of brute force attacks, password audits, minimum 
password lengths, etc).

But, we always seek to improve. This is a problem worth solving because 
the presence of usernames in sites serves no particular user need. It is 
something that can be removed without reducing the quality of the user 
experience at all. It is something that *will* increase the security of 
our sites. Not as much as other things, but we already do those things.

It's not about security through obscurity. It's about the difference 
between knowing a few of a sort of thing, and all of a sort of thing. 
It's the difference between the probability that the usernames you 
happen to have correspond to the passwords you have, and the probability 
that any existing username corresponds to the passwords you have. The 
latter is much higher.

Harry

PS - I'd definitely endorse the idea of a gradually increasing delay 
between failed login attempts. We might add that too :)