Why Strong Usernames Matter for Your Online Security

• Protect Your Privacy: Using the same username across accounts can expose personal information and increase the risk of extortion and data theft.
• Reduce Breach Impact: Unique usernames, combined with strong passwords, minimize the chances of hackers accessing multiple accounts after a data breach.
• Enhance Security Hygiene: Tools like Apple's "Hide My Email" and 1Password's username generator help create randomized usernames, adding an extra layer of security.

Using "123456" for a password isn't the only mistake people make when creating login credentials, although this bit tends to get all the press due to the generally absurd choices made. What many people forget or overlook is the importance a unique username plays in keeping accounts secure.

Most security practitioners know to make passwords unique and complicated-if they haven't already abandoned them for passkeys and biometrics-but IT pros have another reminder for employees logging in: Ditch the used username, unless you want to supply prying hackers with persona-identifying clues.

Is having the same username across online profiles as big a risk as having the same password? Absolutely not. But is it a risk to privacy and data protection more generally?

Yes, it is.

There are two main threats related to usernames:

• Breaches. Once an attacker knows a username from a given site, they can comb through password-breach databases for the other important half of the credential. Then, they might find a different password that can be used. Stolen credentials played a leading role in 2023's data thefts; they were the initial step in 24% of breaches, according to Verizon's recently released Data Breach Investigations Report, which studied incidents between November 2022 and October 2023.
• Privacy. A repeated, revealing username deployed on early websites-maybe a MySpace page or a band forum-could potentially be used as extortion. Pieces of information tied to that username could still exist online, even if they have been long forgotten.

Pure extortion attacks, often defined as threats to leak stolen data (without encrypting it), increased over the past year. According to Verizon's data breach report, the tactic was featured in 9% of the breaches recorded.

Extortion losses in 2023, according to the FBI's Internet Crime Complaint Center (IC3), totaled $74,821,835. The extortion count in 2023 was 48,223 (up from 39,416 in 2022).

Some security professionals recommend protecting usernames by randomly inserting letters related to the service being signed into. The username is 50% of security-it should be unique, just like a password.

A form of separation between professional, social, personal, and other online personas is recommended-so access to one doesn't easily lead to access to all.

Vendors have offered mechanisms to keep usernames and email addresses randomized. Apple's "Hide My Email" feature, for example, allows users to generate random email addresses for services like iCloud, Apple Pay, and Safari. The password manager 1Password has its own username generator.

People with a strong and secure online presence tend to change their username and password on a regular basis. Making this a habit can add another layer of defense against cyber threats.

About the Author

Damian Archer is VP, Consulting & Professional Services Americas at Trustwave with over 15 years of experience in the security industry and holds the CREST Certified Infrastructure Tester (CCT INF) credential. Follow Damian on LinkedIn.

ABOUT TRUSTWAVE

Trustwave is a globally recognized cybersecurity leader that reduces cyber risk and fortifies organizations against disruptive and damaging cyber threats. Our comprehensive offensive and defensive cybersecurity portfolio detects what others cannot, responds with greater speed and effectiveness, optimizes client investment, and improves security resilience. Learn more about us.