I can discover usernames in WordPress, which means I’m halfway to compromising an account.
It’s a common security report. The details vary – sometimes they find usernames through CSS classes, sometimes they’re using enumeration, sometimes it’s from a REST API endpoint – but the real problem is that the underlying logic is flawed.
WordPress has taken the stance that usernames aren’t secret.
From our handbook:
The WordPress project doesn’t consider usernames or user ids to be private or secure information. A username is part of your online identity. It is meant to identify, not verify, who you are saying you are. Verification is the job of the password.
Generally speaking, people do not consider usernames to be secret, often sharing them openly. Additionally, many major online establishments — such as Google and Facebook — have done away with usernames in favor of email addresses, which are shared around constantly and freely. WordPress has also moved this way, allowing users to log in with an email address or username since version 4.5.
Instead of attempting to hide a public identifier, WordPress attempts to encourage users to choose strong passwords instead, through both user interface as well as education.
Note that WordPress is not the only open source project to believe this. Drupal has similar arguments for the same thing.
Why? Because knowing a username doesn’t mean you’re halfway to compromising an account. Let me explain.Knowing a username doesn't mean you're halfway to compromising an account. Click To Tweet
Usernames Are Public
A username is an identifier, a claim to who you are, much like your actual name. When I go to the bank to pull out cash I identify as Aaron Campbell, but then they want to verify that by looking at my drivers license or passport. That required verification is your password. I share my name with anyone, but they cannot have my verification documents. Those are mine.
Moving back to the internet, my username on Twitter is aaroncampbell and every one of my followers knows that. My username on Gmail and Facebook is firstname.lastname@example.org and anyone that ever E-Mails me knows this – it even used to be on my business cards. You could discover my username on this site, but you don’t need to – it’s aaroncampbell.
Even if I didn’t have two factor enabled in all those places though, you wouldn’t be “halfway” to compromising any of those accounts. Users know they need good passwords but usernames are generally simple, easy to remember, and alphabetic or alphanumeric. To put it simply, they’re already easy to guess.
But wouldn’t keeping them secret still help? Wouldn’t having to guess both the username and password make it twice as hard? Shouldn’t WordPress help with that?
No, no, and no. And it all comes down to entropy.
Password strength is usually referred to in terms of information entropy, measured in bits. The idea is that a password with 42 bits of entropy would be as strong as a string of 42 random bits. There can be a lot of complexity in calculating accurate entropy. Dictionary words (including ones in custom dictionaries built for the target), patterns, dates, and many other things can be used to reduce the raw entropy of a string. Best case scenario though, your password isn’t susceptible to any of those, in which case the raw entropy (H) can be calculated using this formula, where N is the number of possible symbols for each character, and L is the number of characters in the password:
H = log2 NL
Let’s calculate the entropy of my username of
aaroncampbell. It’s 13 characters long (L) and each character has 26 possible symbols (N), giving ~61.1 = log2 2613. Keep in mind that in a real-world scenario, my first and last name, along with many other words specific to me, would likely already be built into a dictionary, making this number much lower.
Given a very short (too short), ten character random password of
yZ3#8gPI^0, the entropy is ~65.7 (log2 9510).
Assuming that you can try to crack the username separate from the password, the combined entropy is ~126.8. If you instead increase the length of your password to 20 characters, it’s entropy alone would be ~131.4. All my passwords are 50 characters or ~328.5 bits of entropy.
The Best Solution
Don’t worry about your username, but do focus heavily on your password practices. Use a password manager like LastPass or 1Password. You cannot have good password practices without a password manager. Good passwords should be long – 50 characters is what I use; random – not a “random phrase” you use, but actually randomly generated using a large character set; and unique – only used in one place.You cannot have good password practices without a password manager. Try @LastPass or @1Password. Click To Tweet
If you really want to secure your account, use two factor authentication (2FA). Many sites offer this option, and I personally use it everywhere I can. I use Authy as my 2FA app because I think it’s the most user friendly. It allows me to rearrange things to fit my preferences, add it to multiple devices, and even backup and restore everything for when I change devices. You can also use Google Authenticator or LastPass Authenticator. To add 2FA to your WordPress website, you can use iThemes Security Pro (paid), which is what I use, or Two Factor.