Is revealing a PC account user name bad?

Question

Typical computers with modern operating systems require log-on accounts with a user name and a password. Is it dangerous to reveal the user name of the log-on account to the public?

My research: I have found these articles on Information Security Stack Exchange:

• Should usernames be kept secret?
• How bad is exposing valid user names?
• Forgot password and revealing whether account exists

Googling typically gets me back to the first two of these articles. These answers show that on a website it may be bad to reveal the username for the website account, because it gives malicious users needed information to try to crack an account. The "hacking" is rendered easier because the bad guy already knows where on the internet to try the passwords to crack the website account.

This question pertains to a computer, not a website. The computer may be "hidden" behind a NAT router and theoretically (hopefully?) not directly accessible from the internet. Even if the user has port-forwarded remote-in software, one would have to know the internet address of the computer or the router, of which there's some 4 billion in the IPv4 space, and astronomically more in IPv6. Knowing where to start poking seems a lot harder.

The background: I help on the Virtualbox forums (forums.virtualbox.org). When folks ask for help with their Virtualbox guests, we usually need a log file from the run of the VB guest where the problem was noticed. These log files contain paths to the files on the host PC that are used by the guest, and these files default to being stored in the user's home path:

• Windows: C:\Users{username}....
• Linux: /home/{username}/...

The logs therefore reveal the account user name to anyone who may download the log file. And everyone including non-authenticated visitors, can download log files. Some users obfuscate these path names because they feel that having their user names out on the web is bad.

Are they right? Is revealing the PC account user name bad?

Answer 1

I guess no. Why? Because if you secure your environment in such way that it can eliminate bruteforce attacks/dictionary attacks or any other attack that is trying to force the login, then exposing usernames won't do anything to it, thereafter you can limit the attempts in your LSP. If you look more into the psych of a possible attack, they can generate strings that are based on your username for example username is am123, they can put ham123 or aM93 in their dict list).

Should i keep my username of roastedbeans.ru secret? Yeah you should because it's not your environment, you do not manage it. Therefore you do not know if it is secure at all.

Answer 2

Even if the user has port-forwarded remote-in software, one would have to know the internet address of the computer or the router, of which there's some 4 billion in the IPv4 space, and astronomically more in IPv6. Knowing where to start poking seems a lot harder.

In this statement you assume that an attacker is specifically targeting you. This is often not the case, it is more about having an opportunity.

Specific tooling and/or script that are executed from an attacker's machine will scan the internet for common vulnerabilities in order to gain access to any (random) machine.

Sometimes the tools are a lot more simple and only try to guess usernames and passwords by attacking TCP/22 (SSH) for example.

The logs therefore reveal the account user name to anyone who may download the log file.

The thing with log files is that not anyone should be able to download it. Only a select amount of people should be able to access these logs. In case anyone with an account on the system has access to this log file, the file permissions are set too lose (world readable).

In a corporate environment log files should not be stored locally but transmitted to a syslog server. Limited users should have access to this syslog server.

Additionally, auditing the system (the logs should also be written to a syslog server) should log anyone that access these files for trace-ability.

And everyone including non-authenticated visitors, can download log files.

If this is really the case, this is a major design flaw. I would not be too worried about revealing a username (as mentioned above) but rather worry about this. Log files should never be (directly) accessible over the internet, especially unauthenticated users.

Is revealing a PC account user name bad?

In my opinion exposing a username on an operating system is not necessarily a bad thing as long as a strong password policy is in place. This means a minimum of at least twelve characters, using upper and lowercase characters, specials characters and digits. Additionally, this policy should also trigger an action if X amount of failed attempts are made from a specific IP address (e.g. blocking the IP for Y amount of time)

Another more pressing issue I see here is something we call "Internal Path Disclosure" . Exposing internal paths to an attacker could be very useful combined with other type of attacks such as local file inclusions or SQL injections in case of a web application that is also exposed to the internet.

Answer 3

Is revealing a PC account user name bad?

In short NO. Why?

1. Well for starters your PC username is not information that is unique to you. A lot of people in the world can have the same Windows username.
2. Since it's not unique to a person like an email address where two people cant have the same email address an attacker can't gain much information or even tell with a certain degree that the username belongs to you and you alone.
3. Sure, if that username of yours is your name itself the attacker might use that knowledge to further OSINT you but that's just about it.

Googling typically gets me back to the first two of these articles. These answers show that on a website it may be bad to reveal the username for the website account, because it gives malicious users needed information to try to crack an account. The "hacking" is rendered easier because the bad guy already knows where on the internet to try the passwords to crack the website account.

That is because a username in a website is unique and furthermore in a brute force attack two pieces of information are needed. An attacker could (if the website allows) try a combination of passwords since he already knows that the username is valid.

Even if the user has port-forwarded remote-in software, one would have to know the internet address of the computer or the router, of which there's some 4 billion in the IPv4 space, and astronomically more in IPv6. Knowing where to start poking seems a lot harder.

The assumption that you make here is wrong. Never think that by hiding IP address you might be "secure". The concept of defence-in-depth has to be applied here. The internet is being scanned for vulnerabilities as you read this answer.

The logs therefore reveal the account user name to anyone who may download the log file. And everyone including non-authenticated visitors, can download log files. Some users obfuscate these path names because they feel that having their user names out on the web is bad.

In my opinion, there is nothing insecure here, plus you already say half of the people use fake names. There is nothing substantial to gain here for an attacker except maybe a bit of information about the person.

Answer 4

Is it bad? Yes. - but it depends on the specific case.

You should provide as less personal information as possible publicly and you should hide this data.

SCENARIO 1:

The problem starts if that username is used on multiple locations and is unique. Let's say you were on a forum which was breached and username/password got leaked, someone can just search for that username and find your password. If you are using that on other public platforms with the same password as most people there is a potential you could get hacked that way.

SCENARIO 2:

If you work for a company and they have provided your PC username as name.surname, than posting that data on a forum will provide personal information about yourself and let others discover where you work, what you do etc., some people are not comfortable about that.