Jesper's Blog

Obligatory file photo: I am a Senior Security Strategist in the Security Technology Unit at Microsoft. My job is to explain to our customers how to run Microsoft products securely, and to the extent that it is needed, help the product groups figu

Blogs

Are usernames superfluous?

  • Comments 3
  • Likes

A friend just pointed me to an interesting blog post. The premise is that logon dialogs should not be asking for a username. Mostly the blog post points to why the username provides no value, not really expanding the argument that it is superfluous. Nevertheless, you have to love an article that recommends the use of pass phrases (in spite of the fact that they don't link to any of my articles on the topic)! The basic idea here is that passwords should be unique, and therefore the password is enough to identify you to the system.

I really like the fact that people are doing some creative thinking about authentication. We are taking far too much of what is being said about authentication at face value without nearly enough questioning and creative thought about what really works in the real world. Nevertheless, I do not think this idea will fly.

The first reason removing usernames is not going to work is simply because the authors fail to make a compelling case for why to remove them. They argue fairly succesfully that they provide no value. But, simply not providing value does not support the argument for removing them. For a proper dialectic argument, you need to argue FOR your position, not simply why something else is not worthwhile. There is statement as to a benefit to be had by removing usernames from the logon dialog. One of the arguments is that the username provides no security. That is correct, it does not. If people realized that maybe we could get rid of silly requirements like removing the last logged on username from the logon dialog. Is that enough to remove usernames from the logon process entirely though? I do not think so.

Further, the author argues that no two users should use the same password? Why not? What is wrong with this? In fact, there is a real serious reason why you should allow this, and that is the second reason this idea will not work. Think about it this way: let's say your logon dialog has only a password field in it. Now you go change your password and the system responds with "sorry, that password is already in use." OK, fair enough. Log off, type the password you tried to set, and you are now logged on as whichever user used that password. Instant attack, and the system even told you how to do it! Is it likely that users will use the same password as someone else? Yes, it is. I once cracked 23,311 passwords from a single system to learn more about them, how long it takes to crack them and what they were like (the results are presented in Protect Your Windows Network). In that set, I found that there were only 22,706 unique passwords. The remaining 2.6% were duplicates of some other password. In all, 3.9% of passwords were not unique. 8 passwords occurred more than 10 times, and one occurred 61 times! The risk of collisions is actually quite high. The chance of picking the same password as someone else is about one in 40. If you do a system-wide password reset, for instance, and have 1,000 users change their passwords all at the same time, it is a virtual certainty that at least one person would pick a password that is already in use. You only need 88 users to have a chance less than 10% that all the passwords would be unique. This alone should be enough to dismiss the entire argument.

Like I said, the fact that people think creatively about passwords and authentication is encouraging, and we need to keep doing so as an industry because the solutions we have today leave some things to be desired. People are very bad at passwords, although I do hope they can get better. Smart cards are expensive and do not work everywhere. Biometrics have their own set of problems with expensive hardware and lack of replaceability of the tokens. We need creative solutions that are simple to implement and use and do not cost a mint. Keep up the thinking!

Comments
  • More evidence that people are making recommendations without a basic understanding of computer science. You cannot have authentication without identity, and yet this is precisely what the article is suggesting. The removal of user IDs means the removal of identity. This requires that the password, which normally acts only as the secret authenticator, now acquire double-duty and become the identity as well. And what happens when you force this unnatural requirement? Well, you get exactly what Jesper describes: an instant attack. If the system refuses your use of a certain password, you *know* that said password is already in use! Now you know the "identity" of the human and can impersonate him/her.

    Computer science principles can't be changed, much like the laws of physics can't be changed. You must never confuse the functions of identity, authentication, and authorization, and you must avoid products that attempt to do so.

  • In response to Jespers comment that "we could get rid of silly requirements like removing the last logged on username from the logon dialog", I must tell you this.
    I recently have enabled this functionality, not from a security point of view for which most would use it, but for another less 'interesting' reason - to reduce the number of people who believe it or not, don't know their own user id. Basically because they never had to type it in, even though it was displayed on their screen every morning, and even though it was part of their email address, they didn't know/remember it. Also, I must disagree with the statement that it doesn't provide any security. While it is most likely in the public domain since its part of your email address for a start, it does play a part in protecting systems from certain attack methods. Instead of simply guessing 'any' password and gaining access, an attacker must also guess a user name that is associated with it. Now I agree that it may be perfectly possible for such an attacker to get a complete list of user ids for a particular system one way or another, it could also be quite difficult for others. But it does add another barrier and as such another layer of security. And as we all know, "Every little helps"

  • And what happens when a user calls the helpdesk to have them help with/change something; If they can barely remember the user name displayed on their screen every morning (settings permitting of course!), how do they identify themselves to the poor sysadmin who has to go find their profile when they really don't have a user name?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment