[wp-hackers] Author URLs expose usernames

Otto otto at ottodestruct.com
Wed Jul 18 16:52:32 UTC 2012


On Tue, Jul 17, 2012 at 11:13 PM, Tom Barrett <tcbarrett at gmail.com> wrote:
> The main issue is exposing the username, passing an author id in the url is
> just an easy way to find it.

Exposing the username isn't the issue. The username isn't secret, nor
should it need to be.

The issue is allowing brute-force attacks to be carried out against
your site, and having passwords that can be brute-forced to begin
with.

Consider the case where the username would be considered "secret". A
brute-force attack would now have to work against both the username
and the password. This is mathematically equivalent to knowing the
username and just making the password roughly twice as long.

However, it's not really equivalent, because while security
professionals have been saying to make your passwords hard for
decades, they have not been saying to make your usernames hard as
well. Usernames are more likely to be all lowercase, for example. It's
easier to brute-force a username than to brute-force a password,
basically. So hiding the username isn't adding a whole lot of extra
security to this particular attack-vector. Making the password more
complex or longer adds a ton more security.

What's more, usernames themselves are generally *known* anyway. Most
modern systems don't even have usernames, they simply use the email
address as the username. The real security is in the password and the
difficulty therein.

If you want to stop this sort of thing, attack the real problems. Stop
the brute-force attacks from working at all by using a plugin like
Limit Login Attempts
(http://wordpress.org/extend/plugins/limit-login-attempts/) or enforce
a good-password policy to begin with. Hiding the username just changes
the attack vector, and stops it for a limited time, until they adapt
to it. It doesn't actually solve the underlying problem.

-Otto


More information about the wp-hackers mailing list