Valid username discovery possible?

Dirk Weise
(@wedi)

4 years, 7 months ago
Hi Community,
as every WordPress site owner I get _a lot_ of brute force tries to log into the backend. Recently I see that much, much less tries use the username admin now but my real username. Is there the possibility that there is e.g. a timing attack that makes those people discover if a username is actually valid? I have to admit that I chose badly because my username was contained in my domain. Maybe they use a new algorithm as admin _should_ be a rare username by now. I just wanted to raise attention for this observation.
I have changed my username now and will see if I get any fraudulent logins with the new name.
Cheers,
Dirk
- This topic was modified 4 years, 7 months ago by Dirk Weise.

Viewing 5 replies - 1 through 5 (of 5 total)

Andrew Nevins
(@anevins)

WCLDN 2018 Contributor | Volunteer support

4 years, 7 months ago

There are ways to find the account usernames, but relax, usernames aren’t considered as part of security. Security is in the password.

Thread Starter Dirk Weise
(@wedi)

4 years, 7 months ago

I am relaxed, my password is long enough to be very save. 🙂

Ofc the main security is in the password! But I think of those people who use easier passwords as there is no brute force prevention built into wordpress. I disagree that the validity of – or even worse valid – usernames should be discoverable to make it even easier for the bad guys. Of course security through obscurity is no real option but a Software that is driving 25% of the web should prevent fraudulent people from easier picking the low hanging fruits.
There are exceptions to the rule, e.g. huge service providers where it is a usability and support problem to give people a username they have to remember. But those services usually have other counter measures in place than the average WordPress site owner.

Just my 2 Cents to this observation which you confirmed.

You made me curious what the ways to find usernames are?
Andrew Nevins
(@anevins)

WCLDN 2018 Contributor | Volunteer support

4 years, 7 months ago
It seems we disagree the premise that usernames aren’t part of security. Rather than repeat what has already been said, I’ll link to this article: https://wptavern.com/why-showing-the-wordpress-username-is-not-a-security-risk

On a side note, brute force should be tackled at the server level and not application.
- This reply was modified 4 years, 7 months ago by Andrew Nevins.
Moderator Samuel Wood (Otto)
(@otto42)

WordPress.org Admin

4 years, 7 months ago

@wedi Knowing your username or even discovering your username is not a security risk in any sense of the word. Some people think that knowing a username is like 50% of what you need to log into a site, but the truth is that it is not a security token of any sort.

I can explain this quite simply. Let’s assume that your theory is correct and that usernames should be secret. So, you need two secrets to log into your site: the secret username and the secret password. Now, two is more than one so that’s more secure, right? So, why not just have a normal non-secret username field and two password fields? Hey, they still need to know two secrets, so sure, more secure. Username + password1 + password2. In fact, why don’t we simplify the whole situation, and just have them put both passwords into one field, like “password1password2”? Much simpler to have one field, and now we’re more secure. /s

The reality is that having multiple secrets is no different than having only one secret, because *the secret password can be of any length*. If somebody is choosing bad passwords, then the way to address that is to educate them to choose good passwords.

WordPress addresses the bad password problem by using a different approach for passwords. When you choose a new password or set up a new account, WordPress does not ask you to enter a password, it generates a secure one for you. If you then type in your own password instead, a checkbox pops up that confirms that you want to use a bad password, and it won’t let you go on without checking that box. Basically, WordPress’s approach is to use good passwords by default and force the user to recognize when they’re doing something bad instead. This is a much stronger approach than the typical “type your password twice” method most systems have.

As for brute-force prevention, if you are getting the hits to your access logs at all, then you’re already in trouble. Brute force attacks need to be stopped upstream, before the PHP code is ever executed. Because the main problem caused by brute force attacks is resource depletion. You only have so much processing power and network bandwidth, if you’re getting traffic for these attacks, then you need to stop the traffic itself, not just prevent it from getting lucky. Them knowing the username is not your problem, them getting their spam traffic to execute your code at all is.

larsonreever
(@larsonreever)

4 years, 7 months ago

The username is treated as common knowledge since it’s not difficult to determine. When I asked Andrew Nacin, lead developer for WordPress 3.9, whether the information shared by Hulse is still accurate, he said, “It’s fairly similar language we use when replying to security inquiries.” He then offered similar advice, “Create a strong password. Then, instead of playing games with your username, use a two-factor authentication plugin.”