I can discover usernames in WordPress, which means I’m halfway to compromising an account.
It’s a common security report. The details vary – sometimes they find usernames through CSS classes, sometimes they’re using enumeration, sometimes it’s from a REST API endpoint – but the real problem is that the underlying logic is flawed.
WordPress has taken the stance that usernames aren’t secret.
From our handbook:
The WordPress project doesn’t consider usernames or user ids to be private or secure information. A username is part of your online identity. It is meant to identify, not verify, who you are saying you are. Verification is the job of the password.
Generally speaking, people do not consider usernames to be secret, often sharing them openly. Additionally, many major online establishments — such as Google and Facebook — have done away with usernames in favor of email addresses, which are shared around constantly and freely. WordPress has also moved this way, allowing users to log in with an email address or username since version 4.5.
Instead of attempting to hide a public identifier, WordPress attempts to encourage users to choose strong passwords instead, through both user interface as well as education.
Note that WordPress is not the only open source project to believe this. Drupal has similar arguments for the same thing.
Why? Because knowing a username doesn’t mean you’re halfway to compromising an account. Let me explain.Knowing a username doesn't mean you're halfway to compromising an account. Click To Tweet
Usernames Are Public
A username is an identifier, a claim to who you are, much like your actual name. When I go to the bank to pull out cash I identify as Aaron Campbell, but then they want to verify that by looking at my drivers license or passport. That required verification is your password. I share my name with anyone, but they cannot have my verification documents. Those are mine.
Moving back to the internet, my username on Twitter is aaroncampbell and every one of my followers knows that. My username on Gmail and Facebook is email@example.com and anyone that ever E-Mails me knows this – it even used to be on my business cards. You could discover my username on this site, but you don’t need to – it’s aaroncampbell.
Even if I didn’t have two factor enabled in all those places though, you wouldn’t be “halfway” to compromising any of those accounts. Users know they need good passwords but usernames are generally simple, easy to remember, and alphabetic or alphanumeric. To put it simply, they’re already easy to guess.
But wouldn’t keeping them secret still help? Wouldn’t having to guess both the username and password make it twice as hard? Shouldn’t WordPress help with that?
No, no, and no. And it all comes down to entropy.
Password strength is usually referred to in terms of information entropy, measured in bits. The idea is that a password with 42 bits of entropy would be as strong as a string of 42 random bits. There can be a lot of complexity in calculating accurate entropy. Dictionary words (including ones in custom dictionaries built for the target), patterns, dates, and many other things can be used to reduce the raw entropy of a string. Best case scenario though, your password isn’t susceptible to any of those, in which case the raw entropy (H) can be calculated using this formula, where N is the number of possible symbols for each character, and L is the number of characters in the password:
H = log2 NL
Let’s calculate the entropy of my username of
aaroncampbell. It’s 13 characters long (L) and each character has 26 possible symbols (N), giving ~61.1 = log2 2613. Keep in mind that in a real-world scenario, my first and last name, along with many other words specific to me, would likely already be built into a dictionary, making this number much lower.
Given a very short (too short), ten character random password of
yZ3#8gPI^0, the entropy is ~65.7 (log2 9510).
Assuming that you can try to crack the username separate from the password, the combined entropy is ~126.8. If you instead increase the length of your password to 20 characters, it’s entropy alone would be ~131.4. All my passwords are 50 characters or ~328.5 bits of entropy.
The Best Solution
Don’t worry about your username, but do focus heavily on your password practices. Use a password manager like LastPass or 1Password. You cannot have good password practices without a password manager. Good passwords should be long – 50 characters is what I use; random – not a “random phrase” you use, but actually randomly generated using a large character set; and unique – only used in one place.You cannot have good password practices without a password manager. Try @LastPass or @1Password. Click To Tweet
If you really want to secure your account, use two factor authentication (2FA). Many sites offer this option, and I personally use it everywhere I can. I use Authy as my 2FA app because I think it’s the most user friendly. It allows me to rearrange things to fit my preferences, add it to multiple devices, and even backup and restore everything for when I change devices. You can also use Google Authenticator or LastPass Authenticator. To add 2FA to your WordPress website, you can use iThemes Security Pro (paid), which is what I use, or Two Factor.
Hi I hope you can help with a login problem. But first an apology as I know this is not the way of getting Support but I’m a bit desperate. Let me explain:
Since the last upgrade to WordPress my site which is hosted and managed by 1&1 bombed out and I am unable to login. I have reset passwords all to no avail. When I try to login to support I just get a message to say invalid username or password … so no support!
I can view my site but cannot login either from within my site account or externally through WordPress or the 1&1 Dashboard.
Can you please pass this on to someone who may be able to help.
I do have a critical issue that I need to resolve with Revisionize – but can’t get Support because I can’t login!! This issue is serious as when editing a post using Revisionize it deletes the original post on publishing and throws up a 404 redirect error in YOAST SEO.
I am not technical just a WordPress user who was very happy with the product.
Any help please ….
Unfortunately you are right, this isn’t the place for support and honestly there’s not anything I can do anyway. You’ll need to get in touch with your host to help you gain access to the site.
Totally agree with you here fella. Strong passwords are always the way to go. I usually use strong password generators for mine and my clients websites and hosting.
As another bonus. I usually activate the Cerber plugin and change the default wp-login.php page to another link as that also helps combat hacker bots.
On top of what you said here, I would also recommending people use fewer and keep up to date plugins on their respective sites.
I wonder if Clive above got his access back to the site, seems to me he may have been blocked by WordFence or by IP.
Great post Aaron.
Strong password generators, or better yet password managers that incorporate strong password generators, are definitely the way to go!
I don’t think that moving the login page is all that helpful. There are plenty of ways to try to log into a WordPress site (including APIs like XMLRPC and the JSON REST API). It’s kind of like trying to protect your house by hiding the front door – everyone knows there’s a way in, so they’ll just try a back door, side door, window, etc. Modern hacking bots are going to be able to find a way to try to log in (they’re really quite intelligent at this point), so focus on strong passwords to actually keep them out rather than trickery that they’ll likely see right through.
Hope that helps,
It’s worth mentioning that in 1Password you can set up your 2FA right within it for all of your accounts. If you’re sick of 2FA being something you have to get your phone for and avoid it because it’s a pain this can be a great option, rather than you just not using it at all. It can fill it in the same way it can fill in your password if you have it configured to do so.