3

I have a script that accesses a MySQL database - clearly a strong, random password and a username unique to the script with no more privileges than it needs are all sensible norms here.

However, is there any tangible and worthwhile security benefit to creating a completely random 16 character username?

I'm aware that other questions cover username policies in general, but this is specifically about a single-use MySQL username that's only ever called from a script - thus it doesn't need to be memorised by anyone.

berry120
  • 218
  • 1
  • 6

1 Answers1

2

There's no benefit to going to lengths obfuscating username as long the database does not return a descriptive login error, for instance "username or password incorrect". There will already be many possible usernames, and no way for an attacker to know whether they are using a valid one. Having a descriptive username is often operationally helpful in a larger organization, username 7Uy$kk020G1g doesn't give an admin much to go on. If you're managing the whole thing then that's not a problem.

If the database returns a descriptive login message, for instance "username does not exist", then it's a different story as you don't want to make it easy for an attacker to guess the username. Randomizing the username seems like overkill to me, but there's no harm in it as long as it's documented.

GdD
  • 17,291
  • 2
  • 41
  • 63