Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
Most security practitioners know to make passwords unique and complicated—if they haven’t already abandoned them for passkeys and biometrics—but IT pros who spoke with IT Brew have another reminder for employees logging in: Ditch the used username, unless you want to supply prying hackers with persona-identifying clues.
“Is having the same username across your online profiles as big a risk as having the same password? Absolutely not. Is it a risk to your privacy and data protection more generally? Yes, it is,” Damian Archer, VP of consulting and professional services, Americas, at Trustwave, told IT Brew.
Archer laid out two main threats related to usernames.
- Breaches. Once an attacker knows a username from a given site, the actor, perhaps looking to build a dossier of info on a target, can comb through password-breach databases for the other important half of the credential. “Then, you might find a different password that you can use,” Archer said. Stolen credentials played a leading role in 2023’s data thefts; they were the initial step in 24% of breaches, according to Verizon’s recently released Data Breach Investigations Report, which studied incidents between November 2022 and October 2023.
- Privacy. A repeated, revealing username deployed on early websites—maybe a MySpace page or a band forum—could potentially be used as extortion, according to Archer. “You can find pieces of information that might be tied to that user that they’ve completely forgotten about,” he told us.
Pure extortion attacks, often defined as threats to leak stolen data (without encrypting it), increased over the past year. According to Verizon’s data breach report, the tactic featured in 9% of the breaches the company recorded.
Extortion losses in 2023, according to the FBI’s Internet Crime Complaint Center (IC3), totaled $74,821,835. The extortion count in 2023: 48,223 (up from 39,416 in 2022).
Pete Nicoletti, global CISO, Americas at Check Point Software Technologies (and a former white-hat hacker who’s found plenty of usernames and passwords through the course of his career), said he sometimes protects his usernames by randomly inserting the first letter of the service he’s signing into.
“The username is 50% of your security…It should be unique, and it should be as unique as your password.”
Archer recommends some form of separation between professional, social, personal, and, say, Twitch streaming personas—so access to one doesn’t easily lead to access to all.
Vendors have offered mechanisms to keep usernames and email addresses randomized. Apple’s “Hide My Email” feature, for example, allows users to generate random email addresses for services like iCloud, Apple Pay, and Safari. The password manager 1Password has its own username generator.
“People who have a strong and secure online presence, they do tend to be the people who change their username and change their password on a regular basis,” Archer said.