Another week and another group of people thinking this or that website has been breached.
The latest one got me thinking because the people affected claimed to use a password manager to generate strong passwords. Usually, when there is a breach its the same song and dance of users reusing passwords and case closed.
I do get the few that claim they use a strong password but it ends up being some algo they created, and I’ve covered why this is a bad idea here. Or they do use a strong password like “xNY6&r93ubc9^N” but they reuse it on many other sites which are just as bad as using “password1”.
But these few people who said a password manager created their password got me to take a step back. If this is true, then the service must be hacked – it’s a fair assumption to jump to.
After much digging, I’ve found the issue might be related to usernames and not passwords.
Usernames Are Public – Not Private
All the people saying there was a breach but said they used a strong, unique password from a password manager all had one thing in common.
They all reused usernames.
I’ve found that I could Google their usernames and see the other accounts they had. I could even learn what car they drove because they used that username on a forum to get help to fix their car. I could also see where they lived because they used that username for their local cable companies help forum.
All this information could be learned because they reused their username. I could probably figure out security questions they would use, like “your first car” could be the same car that they needed help with on the auto forum.
So What’s Your Point?
Let’s think of it from the website’s perspective. You have baddies trying to login to your customer’s accounts. You want to stop this in the simplest way possible.
Since password reuse is the biggest problem that most everyone faces, you decide to force your users to reset their passwords. But how do you determine who should reset their passwords?
You get a list of compromised accounts; this list has usernames, emails, and passwords. There is one issue: you store your customer’s passwords hashed and salted. To go through all accounts will require a lot of effort and maybe some changes to the login page to test their password against known breaches.
Or you could take a simple way out and see if their usernames show up in any breaches. If their username were in another breach, you could assume their password is exposed since so many people reuse passwords. You force all those accounts to reset their passwords, even the ones that used proper unique passwords just to be safe.
I came to this conclusion because the site that people claimed to be hacked I used myself. Everyone but me was getting these emails to reset their password because “we’ve found you in a breach.” I, too, like many of the users used a password manager to generate my password, but I was not getting the emails that told me I had to reset my password.
I started Googling usernames of the people complaining on the forums about the breach and found they use that username for every site they go to. My account used a username that never existed before, and it all started to make sense.
Usernames Need To Be Unique
After Googling way too many people affected by this so-called “breach,” I learned that too many people reuse their usernames.
While I can understand it if you have a brand but for the average person, there is no benefit to reusing a username. As we can now see, it could cause future trouble.
It’s disturbing what you can find out about yourself when you Google your username. You could piece together where you live, who you are, and pictures of yourself connected to these accounts. When you create a username that is not your real name, you think it’s anonymous but over time as you use the account, you leave bread crumbs that reveal who you are.
Going forward, I highly recommend everyone make a unique username for each new account they create. If you care about privacy, you should be treating your usernames like your passwords – disposable.
Trust me; the internet points don’t matter.
How To Create Unique Usernames
The best and most straightforward way to create a unique username is with a password manager.
Many of them like Bitwarden, KeePassXC, or 1Password have passphrase generators built in. Combining 2 or 3 of these words can make for a great username. It’s almost a game, and I’ve created some super funny ones before.
Here are examples of the usernames you can create using passphrase generators.
It’s okay to have some fun with it and being creative.
And for the love of God, don’t use the same username for p0rn and other naughty stuff you do on the internet. You especially need to use unique usernames for those accounts. I can’t believe I have to mention this.