12

I was somewhat suprised that the sysadmin approved a one-letter username like "m" and my username is also short ("nik"). I think that if usernames are brute force attacked then the username should also be longer than just a few characters. Do you agree?

Niklas Rosencrantz
  • 450
  • 5
  • 20
  • 5
    Long usernames is more important to limit spamming since it is where username bruteforcing would occur. nik@example.com may receive more spam than nick.rosencrantz@example.com, that's why some email provider require the username to be a minimum length. Apart from that, the security itself comes from the password, not the username which is a public information. – WhiteWinterWolf Apr 23 '15 at 15:27

4 Answers4

23

The username is not a secret; any determined attacker will be able to find out the names of users on your system.

What does improve your security, is if there is no remote access for "root", "guest", and similar account names found on many systems. In fact, Ubuntu explicitly disables the "root" account because it is such a favorite target.

S.L. Barth
  • 5,486
  • 8
  • 38
  • 47
  • 5
    Some companies enforce two-factor-authentication for remote access. This should thwart any bruteforce attempts, even if the username is known. – Dog eat cat world Apr 23 '15 at 12:48
6

one-letter is indeed a bit short, but a good IDS can quickly see if someone is messing with your network if 3 letter usernames are being used.

But from a security standpoint one should assume the Username is known to an attacker since its often easy to guess or not protected at all (leaked at some other place) so short usernames are not so much an issue, when the systems have other protection mechanisms in place.

LvB
  • 8,217
  • 1
  • 26
  • 43
1

Many systems have a standardized way of generating usernames (last name first initial, email address, etc) and other systems leave usernames completely public facing (WordPress, although you can hide then via plugins). So it is common to have little or no secrecy when it comes to the choice of usernames.

This is the reason for passwords in the first place. If usernames were intended to be secret and complex then what exactly is the point of passwords? At that point you would now have two passwords.

While a 3 or 1 character username does seem a bit excessive it does not give any particular advantage to a brute force attack when used on any system that has either predictable or pubic facing usernames in the first place.

An example of a username that could/would make you a target for brute force attacks is something as common as 'root' or 'admin' because these have historically been widely used for high access accounts.

KnightHawk
  • 719
  • 3
  • 10
-1

No one will going to hack you without not knowing your user name. Your password is the one which prevents you from brute force attacks. The spammers have a databases with email addresses and not just randomly send emails to all possible user names also. Looks like nothing is wrong with your system administrator.

Asen
  • 9
  • 1
    This is an unfounded assumption, You do not know what hackers 'think' or try to do. It is known that some spammers do use username prediction. – LvB Apr 24 '15 at 10:36