OSINT Recon Great? — Unique Usernames are Just as Important as Unique Passwords
Intro
Happy World Password Day! Yes, this is an opinion piece. No, I’m not saying passwords are unimportant. The title is meant to be bold to encourage debate and to bring awareness to the topic. If anything, I believe they’re equally important as passwords when it comes to privacy and security. This is something I’ve been practicing personally now for ten years and it has worked well for me. Please hear me out and wait to tell me how wrong I am until after you’ve read the entire article. 😛 Passwords have been over-talked in the information security space to, quite literally, the brink of extinction. We still have to live in a world where credentials are the primary form of authentication online, for now. Big steps are being taken to get rid of the need for passwords but they’re here to stay for a while. Sorry passwords, I know today is your day.
Credentials are typically comprised of an email address or username, a password, and ideally, another form of identification such as a security token or push notification known as Two-Factor Authentication (2FA). So why then are we always talking about passwords and 2FA? We almost never talk about usernames and in my opinion, they’re just as important in a security context if not more-so than their notorious counterpart. They’re like the R2D2 of authentication when C3PO always gets the gold! (Auth-2D2)
Please understand me, I’m certainly not advocating we use weak passwords just that the importance of usernames is often overlooked.
Now that your eyes have returned to their normal, non-rolled position, let’s talk about why I feel this way. Hint: It’s OSINT
Reasoning
I’ve previously spoken about Open-Source Intelligence (OSINT) tools and the reconnaissance phase in my Phishing article so I’ll do my best to avoid any redundancies there. A lot of those tools are designed to target a company or a domain first and then find information on individuals associated it. However, sometimes an attacker may be targeting an individual instead of an organization from the start. Popular targets in the real world are usually victims who may have personal connections to the attacker or are high profile people such as celebrities or politicians. The technical goal of the attacker may be to gain unauthorized access to resources as that individual or to violate their privacy by discovering browsing habits and sites they belong to. The end goal could be to humiliate and expose their victim or to financially profit from this access. I’ll admit in my past I had to put the grey-hat back on and dig up a LinkedIn breach hash, crack it, and use Facebook to SSO into other accounts in order to geo-locate an IP address for someone in the family who had gone missing. We were concerned for their safety, truly.
By now, just about everyone who uses the Internet knows that strong passwords are a better idea than using “123456” for their Chase account’s password. This has been a long, brutal learning lesson and some people are still getting caught up to speed. A newer but still relatively old concept in security is to use unique passwords that are different for each site you have an account on. This is great, as long as it’s done properly. Using a password manager instead of 20 post-it notes on your desk is the preferred way to do this, in case you were wondering. (I, like many others before me, have seen this in physical penetration testing engagements!) If this is you, crumble them up after converting them to a password vault like KeePass, 1Password, LastPass, etc and throw them in the shredder. For the rest of you, great job on keeping your passwords safe and unique!
Great! Now that all of us have a different set of credentials on every site we belong to, let’s talk about why it’s important to do this. I’ll keep it brief because it’s not a new concept but I feel it’s worth explaining due to the importance of the topic. “Credential Stuffing” is a term used when an attacker gains access to a list of usernames and passwords, typically through a breach leak, and attempts to match these up against other sites and services to see if people are using password reuse. Not us! However, many people do and these attackers have tools such as Snipr which can pretty quickly and effectively check what other sites those credentials work on. Sites such as haveibeenpwned.com allow users to check if and even be alerted in the event that their accounts have been compromised. If someone is targeting you specifically, the same technique applies except they won’t be looking for any connect to be letting them in, they’ll be using your leaked password.
HIBP Breach Leak Lookup by Email
Someone using a credential stuffing tool or a number of OSINT tools can still learn a lot of information about you if they’re trying to build an online profile of their target. Think about it, your email address or username is likely to be the same on every website you are registered with. After all, the username just identifies you. It’s your password that verifies your authenticity, or is supposed to, and says you are who you say you are. Would you care if all of the sites you’re registered on were publicly searchable by anyone who wanted to look into your life? People could build a pretty good profile of you such as if you go to church, where you bank, what hobbies you have, groups you belong to, social media accounts, etc. Maybe you don’t want that all out there? The Internet is not forgiving after all, it archives a mind-boggling amount and has an almost infinite retention period. Just Google your email address and see what pops up and that’s just what a non-attacker would use to dive into your story. The recent Ashley Madison scandal comes to mind and the people who were “outed” because they didn’t expect a Cyber Security breach to give them away. Having complex passwords didn’t help them. It’s not that I’m condoning this service, but I believe in privacy for all. Why not create “throwaways” for every site you belong to?
Usernames and email addresses aren’t necessarily synonymous. Maybe I want my username to be publicly known for a social media account. For example, my Twitter username is @CurtBraz. Anyone knows that and I don’t want to mask my identify there. That’s a risk I choose. However, I still have a uniquely masked email address that’s required for me to log in, in addition to a strong and unique password. If someone tries to brute force my password they would need to know my email address, which shouldn’t be accessible in most cases. Even if someone got this for some reason and they wanted to get into my email account, they have no idea what my underlying real email is.
If my password wasn’t unique and was re-used you’d still run into the same problem as an attacker. If you were staring at a breach list of credentials you might have my password for Twitter, but you couldn’t use that anywhere else I have an account even if it’s the same password I use everywhere. This is the point I hope to make.
Recommendations and Conclusion
So what can we do to protect our privacy? Something we always preach from an Application Security perspective is that sites should not disclose if a username exists if a password is incorrect or a reset request is initiated. Instead, it should respond with a generic message like, “This username or password combination does not match any known records”. That being said, a lot of popular sites don’t follow this practice. Captcha isn’t foolproof, but is another deterrent against bots or scripts attempting to automate these attacks. For any developers or site administrators reading this, you can help your users by following these simple practices. Additionally, content from forums and discussion threads are spidered and indexed by search engines and can pick up users this way as well.
This advice is for everyone else who’s a “user”. Consider using unique, unidentifiable usernames and email addresses when registering online. Some people take it even further, depending on your level of privacy needs, and “mask” other information such as credit cards, names, and physical addresses. For the purpose of this blog I’m only referring to usernames and emails. Even if your password is disclosed in a breach and you are an avid password reuser, no one will know which account is yours to try the password against. Of course they could still do a dictionary attack and force their way in eventually, so that’s why it’s good to follow both practices. Also, a unique email or username as opposed to only a unique password makes it extremely difficult to target you as having an account on that site. If I were to take your one known email address and run it through an OSINT tool, I would only find that one site you belong to. I wouldn’t get a pretty visual map like I do in Maltego to know what other services I can try my leaked credentials out on.
I personally use a browser plugin called “Blur” (formerly known as Do Not Track) which does an awesome job of integrating into Chrome form fields and offering to “mask my email”. See the image at the top of this article for an example of creating a new account on AWS. I use the same format for usernames. I then leverage KeePass for unique passwords but you can use any password manager you like.. even Blur or your browser itself. Most password managers will reference the HIBP API and make sure your passwords themselves haven’t been in a breach thus far. This allows me to quickly and easily create throwaway emails that I can use for authentication but it can also protect my real email. As a plus, it has the additional benefit of effectively cutting off unwanted spam by turning off the forwarding service and blocking trackers. There are other services you can use for disposable email address and username generation, such as Guerrella Mail. Even Gmail allows you to create email aliases by simply adding a plus sign. If your email address is curtis.brazzell@gmail.com, you can create one on-the-fly at a cash register in a store such as curtis.brazzell+gamestop@gmail.com and your emails will still be delivered. What you’ve effectively done is create a unique account that hackers will not easily recognize as yours in a breach list but at the same time it’s recognizable to you. You can also determine what sources are sharing your address with third parties this way! Of course, someone could figure out your naming convention, so you may want something more random.
With the advent of open and centralized authentication services like oauth and auth0, things are changing a bit. There’s still a balance in my mind for using these services. On one hand all of your memberships are tied into one or a few services (Facebook, Twitter, Google, etc) and as long as that account is secure, your others should be as well. Registering this way is one less username and password you have to deal with. On the other hand, you’re putting all of your eggs in one basket when you think about account takeover and you’re using the same username everywhere. There’s always the potential that organization could be breached itself, even Google! My personal approach is to mix it up some and use Single Sign On (SSO) for less important resources and for more private ones I register directly with the site.
Because a unique email makes it difficult for an attacker to brute force my account in much the same way a password does and because it also has the added benefit of making it difficult to target or identify me, I think it’s just as important if not more-so than having a uniquely strong password. It’s a form of security by obscurity. Again, both are recommended, but I think unique and complex usernames should be a standard, something I rarely see today. Security is all about layering, and although I know security by obscurity isn’t the solution, it’s yet another layer to strengthen your security posture if used properly.
As always, I encourage a discussion and healthy debate on the topic. Please let me know why you do or don’t agree! I do these blogs to help the community but also to advance my own understanding by hearing from you knowledgeable readers! Thanks so much!
- Curtis Brazzell
