Hiding one's username a good idea?

maggie · 2013-10-05 15:26:30

Is it a good idea to hide our Linux system usernames from posts and bug reports? Can a hacker use that information to their advantage?

ewaller · 2013-10-05 15:30:12

I don't. I have never seen any attacks in my logs that are related to bug posts or my activities here.
I do, however, get a fair amount of "Fan email" as a result of my moderator activities

WonderWoofy · 2013-10-05 15:45:10

I think that this is just entirely dependent on whether or not you want your username shared. That is, if your username is your real name and you wish to keep that out of the public eye, then yes, hide it.

My username is curtisshima on my machine, but typically (if I remember) I change it to 'wonderwoofy' in posts just to create consistency (and potentially reduce confusion… maybe).

Allan · 2013-10-05 16:07:22

Lets look at this logically. There are two things someone needs to access your system, obviously being username and password. Depending on your relative strength of your password, knowing the username could reduce the attack surface by a bit. But given usernames are generally designed to identify the person in a predictable way, it is not going to reduce the attack surface by much. Unless your username is deliberately obscure...

jasonwryan · 2013-10-05 18:20:55

To expand on Allan's point: this supposes that (a) the would-be attacker has
physical access to your machine, which means (unless you have an encrypted drive
and—depending upon the sophistication and intent of the attacker—your machine is
powered up) then it is game over anyway. Or, (b) that you aren't using
public/private keys for remote login, in which case you have it coming…

See my answer here for more on this...

ANOKNUSA · 2013-10-05 18:21:04

Head over to every site on which you have a user account, and block out your username from every profile. Take care to do the same in every forum post or bug report. Then watch as an attacker just types "root" into your sytsem's log-in prompt. As Allan implied, if a person's username is sufficient information to gain access to a system, there's no security on that system to speak of; a sufficiently strong pass(-word/-phrase) is uncrackable. The same applies to those online accounts themselves.

Trilby · 2013-10-05 18:46:58

No special privilege is needed to run `who` to see the username of every other user logged in on a machine. So even without your username, if one was in a position to use your username, it would be trivial to get it anyways.

bleach · 2013-10-05 19:43:36

I suppose it would if you used your social of such systems outside the US as your user name. even a real name is not telling much in that there are probably a lot of people with both first and last name of course if it includes a buisness or corporation or with adress that may be different.

for the sake of this site it probably does not matter much.

WorMzy · 2013-10-05 20:00:12

This reminds me of the time, on another forum, when someone insisted that they be allowed to change their username because it included their birthdate, and everyone knows that if someone on the internet knows your birthdate, they can stalk you in real life!

Incidentally, my forum username is my Arch username, and also my real name. If you want to log into my home machine, you'll need one of three keys (and their accosiated passphrase) that are allowed access, and/or an exploit to bypass that security measure. Even if you do have one of the keys, you'll need to know the name of the only unprivilidged username that I've set the ssh server to allow access for. From there, you'll need to guess my root password. Then, if you get that far, please stop. I'll buy you something shiny?

R00KIE · 2013-10-05 20:12:04

Everyone is assuming the OP has any internet facing service that accepts his username for login but the OP didn't say anything about that

cfr · 2013-10-05 21:36:33

Well one reason I've seen given to not permit remote login by root is that the username is predictable. This strikes me as rather weak security-wise since there are so many other excellent reasons not to allow root to login remotely and, as has been indicated, prohibiting username/password authentication altogether is many times more secure. But I suppose it is nonetheless *some* reason not to release your username *if* you allow username/password authentication remotely.

I tend to erase mine for rather weak privacy reasons but if I were really bothered, I would need to take a rather different approach. (I'm not really bothered, so I don't. Yet I still block it. Go figure.) For example, I wouldn't be using cfr as a username here.

Last edited by cfr (2013-10-05 21:37:47)

Arch Linux

#1 2013-10-05 15:26:30

Hiding one's username a good idea?

#2 2013-10-05 15:30:12

Re: Hiding one's username a good idea?

#3 2013-10-05 15:45:10

Re: Hiding one's username a good idea?

#4 2013-10-05 16:07:22

Re: Hiding one's username a good idea?

#5 2013-10-05 18:20:55

Re: Hiding one's username a good idea?

#6 2013-10-05 18:21:04

Re: Hiding one's username a good idea?

#7 2013-10-05 18:46:58

Re: Hiding one's username a good idea?

#8 2013-10-05 19:43:36

Re: Hiding one's username a good idea?

#9 2013-10-05 20:00:12

Re: Hiding one's username a good idea?

#10 2013-10-05 20:12:04

Re: Hiding one's username a good idea?

#11 2013-10-05 21:36:33

Re: Hiding one's username a good idea?

Board footer