Usernames as a Security Measure

Usernames as a Security Measure

I was recently a guest alongside my co-author, Michael Bazzell on the Social-Engineer podcast (the episode will be be available tomorrow).  We discussed social engineering for security and privacy reasons.  Since being on the show I have thought more about social engineering than at any time since I attended Chris Hadnagy’s SE course back in 2013. One realization I’ve had is that social engineering attacks commonly begin with a starting point.  An email address to which the attacker can send phishing emails.  A phone number she can use to hack your cell account.  A username she can use to call customer service and request access.  Along this line of thought, it has also occured to me that it is never a bad time to restress the importance of usernames as a security measure.

Passwords get a lot of flak.  The password is broken/the password is dead/kill the password they all say.  I agree that there are serious problems with the password, the chief of which is that people simply don’t use good ones.  Through the history of passwords we have collectively failed to internalize what makes a good password.  Even if you are using excellent passwords, using a predictable username makes you vulnerable.  If your username is easily available or guessable, your account can be found, and the attacker has a place to begin working. provided an excellent example of this type of breach early this year.  And so it begins with so many attacks.  Customer service reps are trained to resolve issues for customers – not to keep hackers out – so they err on the side of helpfulness.  Soon enough your account has been compromised.


Having unique usernames is an excellent defense against this type of attack.  Many online accounts allow you to assign a username of your choosing.  This is ideal.  Let’s assume that an attacker is trying to get into one of my accounts.  He or she will likely begin by testing a username.  If my username is jcarroll he or she will find it relatively quickly.  If it is B7X3333O0H1NAD27U an attacker could search for months with no success.  Additionally, if my username is spilled in a breach, it will not be immediately obvious that “B7X3333O0H1NAD27U” belongs to me.

Unfortunately, many websites will not allow you to use a randomly-generated username.  The typical resistance to this is that you would need multiple email accounts.  Fortunately, many solutions exist to solve this problem  My favorite is Blur.  Blur allows you to generate pseudorandom email addresses.  These are called “masked email addresses”.  Each of these is unique, but all forward to your real email account.  An example of a Blur email address is  Unfortunately the “” domain will identify your account as that of a Blur user, but there are thousands of users of this service.

There are some other really cool features and benefits to Blur.  Though by default all emails will forward to a single account, you may add additional “real” email accounts.  This allows you to forward each Blur masked email to a different email account if you wish.  You can also turn off forwarding if you no longer wish to receive email from a particular address.  If you are completely finished with a Blur address you may delete it permanently.  Basic Blur accounts are free.

Like unique passwords, unique usernames also protect your other accounts.  If one account is breached, an attacker will not know any usernames for other accounts.  This model is not impenetrable.  An attacker could still call and, using your name, claim to have forgotten the username.  It is doubtful that you can ever make your accounts totally secure.  However, you can take the time to make them as secure as possible.  Starting with unique, unpredictable usernames as a security measure is an excellent way to do so.

If you enjoyed this article and would like exclusive content, sign up for the Operational-Security Newsletter.

Leave a Reply