[wp-hackers] Author URLs expose usernames

Tom Barrett tcbarrett at gmail.com
Thu Jul 19 07:00:26 UTC 2012

On 18 July 2012 17:52, Otto <otto at ottodestruct.com> wrote:

> On Tue, Jul 17, 2012 at 11:13 PM, Tom Barrett <tcbarrett at gmail.com> wrote:
> > The main issue is exposing the username, passing an author id in the url
> is
> > just an easy way to find it.
> Exposing the username isn't the issue. The username isn't secret, nor
> should it need to be.

I think I see where you are coming from. And possibly, in an ideal world, I
agree with you.

> The issue is allowing brute-force attacks to be carried out against
> your site, and having passwords that can be brute-forced to begin
> with.

I do completely agree with this. Users choosing bad passwords and making
brute force attempts easy is a huge part of this security issue.

> Consider the case where the username would be considered "secret". A
> brute-force attack would now have to work against both the username
> and the password. This is mathematically equivalent to knowing the
> username and just making the password roughly twice as long.

Which would mean much more than just doubling the time it takes to brute
force it (see below).

However, it's not really equivalent, because while security
> professionals have been saying to make your passwords hard for
> decades, they have not been saying to make your usernames hard as
> well. Usernames are more likely to be all lowercase, for example. It's

Passwords are controlled by the users (they can change them to what they
want). Usernames can be set up initially to be somewhat complex, and the
user cannot change it.

> easier to brute-force a username than to brute-force a password,
> basically. So hiding the username isn't adding a whole lot of extra
> security to this particular attack-vector. Making the password more
> complex or longer adds a ton more security.

I appreciate I'm looking at this a little simplistically. However, above
you say that hiding the username lengthens the password and a longer
password is better security.

> What's more, usernames themselves are generally *known* anyway. Most
> modern systems don't even have usernames, they simply use the email
> address as the username. The real security is in the password and the
> difficulty therein.

Is it not worth pursuing a non perfect solution that does add some security
before something better comes along? You don't think the ease with which
anyone can, by default, find out all the usernames makes it easier to hack
a WordPress installation? It is not a risk at all? Or it is not a
significant enough risk?

> If you want to stop this sort of thing, attack the real problems. Stop
> the brute-force attacks from working at all by using a plugin like
> Limit Login Attempts
> (http://wordpress.org/extend/plugins/limit-login-attempts/)

Again I agree with you. I always recommend this plugin.

http://www.tcbarrett.com | http://gplus.to/tcbarrett |

More information about the wp-hackers mailing list