Another Reason to Like Password Managers: Use Different Logon Names

You can reduce cybersecurity risk by using drastically different logon names

I’m a big fan of password managers and think everyone should use them despite the single-point-of-failure security risks: https://www.dhirubhai.net/pulse/password-managers-can-hacked-lots-ways-yes-you-should-roger-grimes.

The number one reason to use them is they allow users to more easily create and use strong passwords across different sites and services. This significantly reduces the risk of password guessing and password hash cracking attacks. For that alone, you and everyone else should be using password managers, at least until we get bigger offsetting risk or finally move to something better than passwords for most logons.

According to conventional cybersecurity authentication policy, logon names aren’t secrets. Anyone can know them. The secret part is the password. Only you and the authentication system are supposed to know your passwords.

But this doesn’t mean that having different logon names can’t help prevent some additional hacking. I’m not standing out on a limb alone. It’s the same reason why Microsoft and other companies recommend changing the default Administrator’s account name from Administrator to something else. A hacker can’t easily begin to try and crack or guess and use an Administrator’s password unless they know the account's (logon) name. Same with any logon you use.

The better question to ask is why most of us use the same logon names for most of the places where we logon? If using different logon names is good for Administrator why not everyone’s account?

If an attacker comes up to a logon portal they have to provide both the potential victim’s logon name and password. If they can’t provide the logon name to begin the guessing attack, their unauthorized logon attempt will fail…or at least be made harder. If an attacker gets your password hash they can’t reuse it or the resulting cracked password unless they also have your correct logon account name.

Yes, there are many ways an attacker can gain both your logon name and your password/hash at the same time (like happens all the time) or at a later date, but having your logon name is essential to begin any password attack. Your password alone gives the attacker nothing to go on.

Using different logon names for different sites and services clearly reduces cybersecurity risk. I don’t think anyone would argue that point.

But most of us don’t want to remember different logon names any more than we want to remember different passwords. It would be as big of a pain as having to remember different passwords. I get it! But it’s not a pain if you don’t have to remember your logon name and password. Let your password manager do the hard work for you.

One of the reasons why using different logon names decreases cybersecurity risk is to offset the very real risk of using the same password or password pattern (e.g., frogFB, frogTW, frogAD, etc.) across multiple unrelated sites or services. Hackers frequently compromise a user’s logon name and password on one compromised site or service and then use it to try and access other sites and services using the same logon name and password. This is entirely the reason why every password policy guide includes the recommendation to use different passwords on different sites and services, one which most people without a password manager have a hard time following.

Password managers allow you to create and use a different, strong, password on every site and service without you having to do anything than use the password manager to fill-in (or Edit/Copy/Paste) the password.

Well, password managers can do the same for your logon names!

Consider creating drastically different logon names for your various sites and services, just as you hopefully already do for your passwords, and let a password manager do all the remembering and using. None of the password managers I’m aware of create unique logon names…so that part would be to you. Perhaps, you could use the password manager’s password creation function to create logon names? And many sites and services expect or require that you use your real email address. But on highly sensitive sites and services (say banking, cryptocurrency, etc.) consider using a randomly different logon name than you use anywhere else.

The world is full of stories where previously stolen passwords from unrelated sites were then used to compromise the user’s other web sites. Heck, that recently happened to Norton Lifelock users who also used Norton’s Password Manager (https://www.pcmag.com/news/hackers-target-norton-password-manager-access-8000-user-accounts). Hackers, using passwords obtained from another unrelated password dump, were able to compromise 8000 Norton password managers. Forgetting the natural admonishment that those users definitely should not have been using the same password they used on their password managers as they used on other sites, if they had been using different logon names the attack would have probably failed on their account.

So new Thought for the Day: Consider using different logon names on every site and service, or at least your most sensitive accounts. Making a hacker guess at your logon name can reduce your personal cybersecurity risk.