Is revealing a PC account user name bad?Should usernames be kept secret?Forgot password and revealing whether...
My colleague treats me like he's my boss, yet we're on the same level
Magnetic thread storage?
LWC: Is it safe to rely on window.location.href to get the page url?
In what language did Túrin converse with Mím?
Break down the phrase "shitsurei shinakereba naranaindesu"
Can UV radiation be safe for the skin?
Can I lend a small amount of my own money to a bank at the federal funds rate?
What is the following VRP?
What's the origin of the concept of alternate dimensions/realities?
Resources to learn about firearms?
Calculate Landau's function
Can inductive kick be discharged without freewheeling diode, in this example?
Is "prohibition against," a double negative?
What are the in-game differences between WoW Classic and the original 2006 Version
How to investigate an unknown 1.5GB file named "sudo" in my Linux home directory?
Journal published a paper, ignoring my objections as a referee
Why haven't the British protested Brexit as ardently like Hong Kongers protest?
What is the practical impact of using System.Random which is not cryptographically random?
Why does the U.S. military maintain their own weather satellites?
What am I looking at here at Google Sky?
What are ways to record who took the pictures if a camera is used by multiple people?
Can authors email you PDFs of their textbook for free?
“all of who” or “all of whom”?
Why do presidential pardons exist in a country having a clear separation of powers?
Is revealing a PC account user name bad?
Should usernames be kept secret?Forgot password and revealing whether account existsHow bad is exposing valid user names?Is possible to get infected by only staying connected to the Internet (nothing else)?What is the typical computer setup and hosting arrangement of malicious bots?Is it bad practice to accept phone number or email as username?Is it good or bad practice to allow a user to change their username?Should user account be locked after X amount of failed logins?What are the security implications of allowing guest checkout using an email bound to known account?Center for Internet Security Version 6.1 Critical Security Control 16-10Extending on-premise security to a virtual machine used in Home Office environmentCan I use a virtual machine to connect to a public WIFI to use Internet by totally isolating the host from it?
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}
Typical computers with modern operating systems require log-on accounts with a user name and a password. Is it dangerous to reveal the user name of the log-on account to the public?
My research:
I have found these articles on Information Security Stack Exchange:
- Should usernames be kept secret?
- How bad is exposing valid user names?
- Forgot password and revealing whether account exists
Googling typically gets me back to the first two of these articles.
These answers show that on a website it may be bad to reveal the username for the website account, because it gives malicious users needed information to try to crack an account. The "hacking" is rendered easier because the bad guy already knows where on the internet to try the passwords to crack the website account.
This question pertains to a computer, not a website. The computer may be "hidden" behind a NAT router and theoretically (hopefully?) not directly accessible from the internet. Even if the user has port-forwarded remote-in software, one would have to know the internet address of the computer or the router, of which there's some 4 billion in the IPv4 space, and astronomically more in IPv6. Knowing where to start poking seems a lot harder.
The background:
I help on the Virtualbox forums (forums.virtualbox.org). When folks ask for help with their Virtualbox guests, we usually need a log file from the run of the VB guest where the problem was noticed. These log files contain paths to the files on the host PC that are used by the guest, and these files default to being stored in the user's home path:
- Windows: C:Users{username}....
- Linux: /home/{username}/...
The logs therefore reveal the account user name to anyone who may download the log file. And everyone including non-authenticated visitors, can download log files. Some users obfuscate these path names because they feel that having their user names out on the web is bad.
Are they right? Is revealing the PC account user name bad?
account-security internet user-names
asked 10 hours ago
TriplefaultTriplefault
161 bronze badge
New contributor
Triplefault is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
add a comment |
Typical computers with modern operating systems require log-on accounts with a user name and a password. Is it dangerous to reveal the user name of the log-on account to the public?
My research:
I have found these articles on Information Security Stack Exchange:
- Should usernames be kept secret?
- How bad is exposing valid user names?
- Forgot password and revealing whether account exists
Googling typically gets me back to the first two of these articles.
These answers show that on a website it may be bad to reveal the username for the website account, because it gives malicious users needed information to try to crack an account. The "hacking" is rendered easier because the bad guy already knows where on the internet to try the passwords to crack the website account.
This question pertains to a computer, not a website. The computer may be "hidden" behind a NAT router and theoretically (hopefully?) not directly accessible from the internet. Even if the user has port-forwarded remote-in software, one would have to know the internet address of the computer or the router, of which there's some 4 billion in the IPv4 space, and astronomically more in IPv6. Knowing where to start poking seems a lot harder.
The background:
I help on the Virtualbox forums (forums.virtualbox.org). When folks ask for help with their Virtualbox guests, we usually need a log file from the run of the VB guest where the problem was noticed. These log files contain paths to the files on the host PC that are used by the guest, and these files default to being stored in the user's home path:
- Windows: C:Users{username}....
- Linux: /home/{username}/...
The logs therefore reveal the account user name to anyone who may download the log file. And everyone including non-authenticated visitors, can download log files. Some users obfuscate these path names because they feel that having their user names out on the web is bad.
Are they right? Is revealing the PC account user name bad?
account-security internet user-names
asked 10 hours ago
TriplefaultTriplefault
161 bronze badge
New contributor
Triplefault is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I should clarify that there have been problems with Virtualbox when the username of the account or another folder in the file paths has Unicode/UTF-8 characters (not just plain ASCII) or periods. Eventually the developers fix issues, but they crop up. So we tend to insist on unobfuscated logs. And we get a bit of pushback at times from the obfuscators.
– Triplefault
9 hours ago
add a comment |
Typical computers with modern operating systems require log-on accounts with a user name and a password. Is it dangerous to reveal the user name of the log-on account to the public?
My research:
I have found these articles on Information Security Stack Exchange:
- Should usernames be kept secret?
- How bad is exposing valid user names?
- Forgot password and revealing whether account exists
Googling typically gets me back to the first two of these articles.
These answers show that on a website it may be bad to reveal the username for the website account, because it gives malicious users needed information to try to crack an account. The "hacking" is rendered easier because the bad guy already knows where on the internet to try the passwords to crack the website account.
This question pertains to a computer, not a website. The computer may be "hidden" behind a NAT router and theoretically (hopefully?) not directly accessible from the internet. Even if the user has port-forwarded remote-in software, one would have to know the internet address of the computer or the router, of which there's some 4 billion in the IPv4 space, and astronomically more in IPv6. Knowing where to start poking seems a lot harder.
The background:
I help on the Virtualbox forums (forums.virtualbox.org). When folks ask for help with their Virtualbox guests, we usually need a log file from the run of the VB guest where the problem was noticed. These log files contain paths to the files on the host PC that are used by the guest, and these files default to being stored in the user's home path:
- Windows: C:Users{username}....
- Linux: /home/{username}/...
The logs therefore reveal the account user name to anyone who may download the log file. And everyone including non-authenticated visitors, can download log files. Some users obfuscate these path names because they feel that having their user names out on the web is bad.
Are they right? Is revealing the PC account user name bad?
account-security internet user-names
asked 10 hours ago
TriplefaultTriplefault
161 bronze badge
New contributor
Triplefault is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
Typical computers with modern operating systems require log-on accounts with a user name and a password. Is it dangerous to reveal the user name of the log-on account to the public?
My research:
I have found these articles on Information Security Stack Exchange:
- Should usernames be kept secret?
- How bad is exposing valid user names?
- Forgot password and revealing whether account exists
Googling typically gets me back to the first two of these articles.
These answers show that on a website it may be bad to reveal the username for the website account, because it gives malicious users needed information to try to crack an account. The "hacking" is rendered easier because the bad guy already knows where on the internet to try the passwords to crack the website account.
This question pertains to a computer, not a website. The computer may be "hidden" behind a NAT router and theoretically (hopefully?) not directly accessible from the internet. Even if the user has port-forwarded remote-in software, one would have to know the internet address of the computer or the router, of which there's some 4 billion in the IPv4 space, and astronomically more in IPv6. Knowing where to start poking seems a lot harder.
The background:
I help on the Virtualbox forums (forums.virtualbox.org). When folks ask for help with their Virtualbox guests, we usually need a log file from the run of the VB guest where the problem was noticed. These log files contain paths to the files on the host PC that are used by the guest, and these files default to being stored in the user's home path:
- Windows: C:Users{username}....
- Linux: /home/{username}/...
The logs therefore reveal the account user name to anyone who may download the log file. And everyone including non-authenticated visitors, can download log files. Some users obfuscate these path names because they feel that having their user names out on the web is bad.
Are they right? Is revealing the PC account user name bad?
account-security internet user-names
account-security internet user-names
asked 10 hours ago
TriplefaultTriplefault
161 bronze badge
New contributor
Triplefault is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 10 hours ago
TriplefaultTriplefault
161 bronze badge
New contributor
Triplefault is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 10 hours ago
TriplefaultTriplefault
161 bronze badge
New contributor
Triplefault is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
asked 10 hours ago
TriplefaultTriplefault
161 bronze badge
asked 10 hours ago
TriplefaultTriplefault
161 bronze badge
161 bronze badge
New contributor
Triplefault is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
Triplefault is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
I should clarify that there have been problems with Virtualbox when the username of the account or another folder in the file paths has Unicode/UTF-8 characters (not just plain ASCII) or periods. Eventually the developers fix issues, but they crop up. So we tend to insist on unobfuscated logs. And we get a bit of pushback at times from the obfuscators.
– Triplefault
9 hours ago
add a comment |
I should clarify that there have been problems with Virtualbox when the username of the account or another folder in the file paths has Unicode/UTF-8 characters (not just plain ASCII) or periods. Eventually the developers fix issues, but they crop up. So we tend to insist on unobfuscated logs. And we get a bit of pushback at times from the obfuscators.
– Triplefault
9 hours ago
I should clarify that there have been problems with Virtualbox when the username of the account or another folder in the file paths has Unicode/UTF-8 characters (not just plain ASCII) or periods. Eventually the developers fix issues, but they crop up. So we tend to insist on unobfuscated logs. And we get a bit of pushback at times from the obfuscators.
– Triplefault
9 hours ago
I should clarify that there have been problems with Virtualbox when the username of the account or another folder in the file paths has Unicode/UTF-8 characters (not just plain ASCII) or periods. Eventually the developers fix issues, but they crop up. So we tend to insist on unobfuscated logs. And we get a bit of pushback at times from the obfuscators.
– Triplefault
9 hours ago
add a comment |
3 Answers
3
active
oldest
votes
I guess no. Why? Because if you secure your environment in such way that it can eliminate bruteforce attacks/dictionary attacks or any other attack that is trying to force the login, then exposing usernames won't do anything to it, thereafter you can limit the attempts in your LSP. If you look more into the psych of a possible attack, they can generate strings that are based on your username for example username is am123, they can put ham123 or aM93 in their dict list).
Should i keep my username of roastedbeans.ru secret? Yeah you should because it's not your environment, you do not manage it. Therefore you do not know if it is secure at all.
answered 9 hours ago
tungstentungsten
1601 gold badge2 silver badges15 bronze badges
Thanks, tungsten! Pardon if I ask for a clarification: You mention: "if you secure your environment ... exposing usernames won't do anything to it". Then later: "Should i keep my username ... secret? Yeah". It sounds like you would not allow your PC username to be revealed on a forum, but it wouldn't be a problem if the computer was secured. Is that correct?
– Triplefault
9 hours ago
Right, If we talk just about usernames like Jack or Angelina. (because revealing your whole name may result in other things)
– tungsten
9 hours ago
add a comment |
Even if the user has port-forwarded remote-in software, one would have to know the internet address of the computer or the router, of which there's some 4 billion in the IPv4 space, and astronomically more in IPv6. Knowing where to start poking seems a lot harder.
In this statement you assume that an attacker is specifically targeting you. This is often not the case, it is more about having an opportunity.
Specific tooling and/or script that are executed from an attacker's machine will scan the internet for common vulnerabilities in order to gain access to any (random) machine.
Sometimes the tools are a lot more simple and only try to guess usernames and passwords by attacking TCP/22 (SSH) for example.
The logs therefore reveal the account user name to anyone who may
download the log file.
The thing with log files is that not anyone should be able to download it. Only a select amount of people should be able to access these logs. In case anyone with an account on the system has access to this log file, the file permissions are set too lose (world readable).
In a corporate environment log files should not be stored locally but transmitted to a syslog server. Limited users should have access to this syslog server.
Additionally, auditing the system (the logs should also be written to a syslog server) should log anyone that access these files for trace-ability.
And everyone including non-authenticated visitors, can download log
files.
If this is really the case, this is a major design flaw. I would not be too worried about revealing a username (as mentioned above) but rather worry about this. Log files should never be (directly) accessible over the internet, especially unauthenticated users.
Is revealing a PC account user name bad?
In my opinion exposing a username on an operating system is not necessarily a bad thing as long as a strong password policy is in place. This means a minimum of at least twelve characters, using upper and lowercase characters, specials characters and digits. Additionally, this policy should also trigger an action if X amount of failed attempts are made from a specific IP address (e.g. blocking the IP for Y amount of time)
Another more pressing issue I see here is something we call "Internal Path Disclosure" . Exposing internal paths to an attacker could be very useful combined with other type of attacks such as local file inclusions or SQL injections in case of a web application that is also exposed to the internet.
answered 7 hours ago
Jeroen - IT NerdboxJeroen - IT Nerdbox
5,0222 gold badges14 silver badges25 bronze badges
add a comment |
Is revealing a PC account user name bad?
In short NO.Why?
- Well for starters your PC username is not a information that is
unique to you.A lot of people in the world can have the same windows
username. - Since its not unique to a person like an email address where two
people cant have the same email address an attacker cant gain much
information or even tell with a certain degree that the username
belongs to you and you alone. - sure if that username of yours is your name itself the attacker
might use that knowledge to further OSINT you but that's just about
it
Googling typically gets me back to the first two of these articles.
These answers show that on a website it may be bad to reveal the
username for the website account, because it gives malicious users
needed information to try to crack an account. The "hacking" is
rendered easier because the bad guy already knows where on the
internet to try the passwords to crack the website account.
That is because a username in a website is unique and furthermore in a brute force attack two pieces of information are needed.An attacker could(if the website allows) try a combination of password since he already knows that the username is valid.
Even if the user has port-forwarded remote-in software, one would have
to know the internet address of the computer or the router, of which
there's some 4 billion in the IPv4 space, and astronomically more in
IPv6. Knowing where to start poking seems a lot harder.
The assumption that you make here is wrong.Never think that by hiding IP address you might be "secure". The concept of defence in depth has to be applied here.The internet is being scanned for vulnerabilities as you read this answer
The logs therefore reveal the account user name to anyone who may
download the log file. And everyone including non-authenticated
visitors, can download log files. Some users obfuscate these path
names because they feel that having their user names out on the web is
bad.
In my opinion there is nothing insecure here,Plus you already say half of the people fake the names.There is nothing substantial to gain here for an attacker except maybe a bit of information about the person but THAT'S ALL!
answered 5 hours ago
Vipul NairVipul Nair
2,1241 gold badge6 silver badges23 bronze badges
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "162"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Triplefault is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f216276%2fis-revealing-a-pc-account-user-name-bad%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
I guess no. Why? Because if you secure your environment in such way that it can eliminate bruteforce attacks/dictionary attacks or any other attack that is trying to force the login, then exposing usernames won't do anything to it, thereafter you can limit the attempts in your LSP. If you look more into the psych of a possible attack, they can generate strings that are based on your username for example username is am123, they can put ham123 or aM93 in their dict list).
Should i keep my username of roastedbeans.ru secret? Yeah you should because it's not your environment, you do not manage it. Therefore you do not know if it is secure at all.
answered 9 hours ago
tungstentungsten
1601 gold badge2 silver badges15 bronze badges
Thanks, tungsten! Pardon if I ask for a clarification: You mention: "if you secure your environment ... exposing usernames won't do anything to it". Then later: "Should i keep my username ... secret? Yeah". It sounds like you would not allow your PC username to be revealed on a forum, but it wouldn't be a problem if the computer was secured. Is that correct?
– Triplefault
9 hours ago
Right, If we talk just about usernames like Jack or Angelina. (because revealing your whole name may result in other things)
– tungsten
9 hours ago
add a comment |
I guess no. Why? Because if you secure your environment in such way that it can eliminate bruteforce attacks/dictionary attacks or any other attack that is trying to force the login, then exposing usernames won't do anything to it, thereafter you can limit the attempts in your LSP. If you look more into the psych of a possible attack, they can generate strings that are based on your username for example username is am123, they can put ham123 or aM93 in their dict list).
Should i keep my username of roastedbeans.ru secret? Yeah you should because it's not your environment, you do not manage it. Therefore you do not know if it is secure at all.
answered 9 hours ago
tungstentungsten
1601 gold badge2 silver badges15 bronze badges
Thanks, tungsten! Pardon if I ask for a clarification: You mention: "if you secure your environment ... exposing usernames won't do anything to it". Then later: "Should i keep my username ... secret? Yeah". It sounds like you would not allow your PC username to be revealed on a forum, but it wouldn't be a problem if the computer was secured. Is that correct?
– Triplefault
9 hours ago
Right, If we talk just about usernames like Jack or Angelina. (because revealing your whole name may result in other things)
– tungsten
9 hours ago
add a comment |
I guess no. Why? Because if you secure your environment in such way that it can eliminate bruteforce attacks/dictionary attacks or any other attack that is trying to force the login, then exposing usernames won't do anything to it, thereafter you can limit the attempts in your LSP. If you look more into the psych of a possible attack, they can generate strings that are based on your username for example username is am123, they can put ham123 or aM93 in their dict list).
Should i keep my username of roastedbeans.ru secret? Yeah you should because it's not your environment, you do not manage it. Therefore you do not know if it is secure at all.
answered 9 hours ago
tungstentungsten
1601 gold badge2 silver badges15 bronze badges
I guess no. Why? Because if you secure your environment in such way that it can eliminate bruteforce attacks/dictionary attacks or any other attack that is trying to force the login, then exposing usernames won't do anything to it, thereafter you can limit the attempts in your LSP. If you look more into the psych of a possible attack, they can generate strings that are based on your username for example username is am123, they can put ham123 or aM93 in their dict list).
Should i keep my username of roastedbeans.ru secret? Yeah you should because it's not your environment, you do not manage it. Therefore you do not know if it is secure at all.
answered 9 hours ago
tungstentungsten
1601 gold badge2 silver badges15 bronze badges
answered 9 hours ago
tungstentungsten
1601 gold badge2 silver badges15 bronze badges
answered 9 hours ago
tungstentungsten
1601 gold badge2 silver badges15 bronze badges
answered 9 hours ago
tungstentungsten
1601 gold badge2 silver badges15 bronze badges
1601 gold badge2 silver badges15 bronze badges
Thanks, tungsten! Pardon if I ask for a clarification: You mention: "if you secure your environment ... exposing usernames won't do anything to it". Then later: "Should i keep my username ... secret? Yeah". It sounds like you would not allow your PC username to be revealed on a forum, but it wouldn't be a problem if the computer was secured. Is that correct?
– Triplefault
9 hours ago
Right, If we talk just about usernames like Jack or Angelina. (because revealing your whole name may result in other things)
– tungsten
9 hours ago
add a comment |
Thanks, tungsten! Pardon if I ask for a clarification: You mention: "if you secure your environment ... exposing usernames won't do anything to it". Then later: "Should i keep my username ... secret? Yeah". It sounds like you would not allow your PC username to be revealed on a forum, but it wouldn't be a problem if the computer was secured. Is that correct?
– Triplefault
9 hours ago
Right, If we talk just about usernames like Jack or Angelina. (because revealing your whole name may result in other things)
– tungsten
9 hours ago
Thanks, tungsten! Pardon if I ask for a clarification: You mention: "if you secure your environment ... exposing usernames won't do anything to it". Then later: "Should i keep my username ... secret? Yeah". It sounds like you would not allow your PC username to be revealed on a forum, but it wouldn't be a problem if the computer was secured. Is that correct?
– Triplefault
9 hours ago
Thanks, tungsten! Pardon if I ask for a clarification: You mention: "if you secure your environment ... exposing usernames won't do anything to it". Then later: "Should i keep my username ... secret? Yeah". It sounds like you would not allow your PC username to be revealed on a forum, but it wouldn't be a problem if the computer was secured. Is that correct?
– Triplefault
9 hours ago
Right, If we talk just about usernames like Jack or Angelina. (because revealing your whole name may result in other things)
– tungsten
9 hours ago
Right, If we talk just about usernames like Jack or Angelina. (because revealing your whole name may result in other things)
– tungsten
9 hours ago
add a comment |
Even if the user has port-forwarded remote-in software, one would have to know the internet address of the computer or the router, of which there's some 4 billion in the IPv4 space, and astronomically more in IPv6. Knowing where to start poking seems a lot harder.
In this statement you assume that an attacker is specifically targeting you. This is often not the case, it is more about having an opportunity.
Specific tooling and/or script that are executed from an attacker's machine will scan the internet for common vulnerabilities in order to gain access to any (random) machine.
Sometimes the tools are a lot more simple and only try to guess usernames and passwords by attacking TCP/22 (SSH) for example.
The logs therefore reveal the account user name to anyone who may
download the log file.
The thing with log files is that not anyone should be able to download it. Only a select amount of people should be able to access these logs. In case anyone with an account on the system has access to this log file, the file permissions are set too lose (world readable).
In a corporate environment log files should not be stored locally but transmitted to a syslog server. Limited users should have access to this syslog server.
Additionally, auditing the system (the logs should also be written to a syslog server) should log anyone that access these files for trace-ability.
And everyone including non-authenticated visitors, can download log
files.
If this is really the case, this is a major design flaw. I would not be too worried about revealing a username (as mentioned above) but rather worry about this. Log files should never be (directly) accessible over the internet, especially unauthenticated users.
Is revealing a PC account user name bad?
In my opinion exposing a username on an operating system is not necessarily a bad thing as long as a strong password policy is in place. This means a minimum of at least twelve characters, using upper and lowercase characters, specials characters and digits. Additionally, this policy should also trigger an action if X amount of failed attempts are made from a specific IP address (e.g. blocking the IP for Y amount of time)
Another more pressing issue I see here is something we call "Internal Path Disclosure" . Exposing internal paths to an attacker could be very useful combined with other type of attacks such as local file inclusions or SQL injections in case of a web application that is also exposed to the internet.
answered 7 hours ago
Jeroen - IT NerdboxJeroen - IT Nerdbox
5,0222 gold badges14 silver badges25 bronze badges
add a comment |
Even if the user has port-forwarded remote-in software, one would have to know the internet address of the computer or the router, of which there's some 4 billion in the IPv4 space, and astronomically more in IPv6. Knowing where to start poking seems a lot harder.
In this statement you assume that an attacker is specifically targeting you. This is often not the case, it is more about having an opportunity.
Specific tooling and/or script that are executed from an attacker's machine will scan the internet for common vulnerabilities in order to gain access to any (random) machine.
Sometimes the tools are a lot more simple and only try to guess usernames and passwords by attacking TCP/22 (SSH) for example.
The logs therefore reveal the account user name to anyone who may
download the log file.
The thing with log files is that not anyone should be able to download it. Only a select amount of people should be able to access these logs. In case anyone with an account on the system has access to this log file, the file permissions are set too lose (world readable).
In a corporate environment log files should not be stored locally but transmitted to a syslog server. Limited users should have access to this syslog server.
Additionally, auditing the system (the logs should also be written to a syslog server) should log anyone that access these files for trace-ability.
And everyone including non-authenticated visitors, can download log
files.
If this is really the case, this is a major design flaw. I would not be too worried about revealing a username (as mentioned above) but rather worry about this. Log files should never be (directly) accessible over the internet, especially unauthenticated users.
Is revealing a PC account user name bad?
In my opinion exposing a username on an operating system is not necessarily a bad thing as long as a strong password policy is in place. This means a minimum of at least twelve characters, using upper and lowercase characters, specials characters and digits. Additionally, this policy should also trigger an action if X amount of failed attempts are made from a specific IP address (e.g. blocking the IP for Y amount of time)
Another more pressing issue I see here is something we call "Internal Path Disclosure" . Exposing internal paths to an attacker could be very useful combined with other type of attacks such as local file inclusions or SQL injections in case of a web application that is also exposed to the internet.
answered 7 hours ago
Jeroen - IT NerdboxJeroen - IT Nerdbox
5,0222 gold badges14 silver badges25 bronze badges
add a comment |
Even if the user has port-forwarded remote-in software, one would have to know the internet address of the computer or the router, of which there's some 4 billion in the IPv4 space, and astronomically more in IPv6. Knowing where to start poking seems a lot harder.
In this statement you assume that an attacker is specifically targeting you. This is often not the case, it is more about having an opportunity.
Specific tooling and/or script that are executed from an attacker's machine will scan the internet for common vulnerabilities in order to gain access to any (random) machine.
Sometimes the tools are a lot more simple and only try to guess usernames and passwords by attacking TCP/22 (SSH) for example.
The logs therefore reveal the account user name to anyone who may
download the log file.
The thing with log files is that not anyone should be able to download it. Only a select amount of people should be able to access these logs. In case anyone with an account on the system has access to this log file, the file permissions are set too lose (world readable).
In a corporate environment log files should not be stored locally but transmitted to a syslog server. Limited users should have access to this syslog server.
Additionally, auditing the system (the logs should also be written to a syslog server) should log anyone that access these files for trace-ability.
And everyone including non-authenticated visitors, can download log
files.
If this is really the case, this is a major design flaw. I would not be too worried about revealing a username (as mentioned above) but rather worry about this. Log files should never be (directly) accessible over the internet, especially unauthenticated users.
Is revealing a PC account user name bad?
In my opinion exposing a username on an operating system is not necessarily a bad thing as long as a strong password policy is in place. This means a minimum of at least twelve characters, using upper and lowercase characters, specials characters and digits. Additionally, this policy should also trigger an action if X amount of failed attempts are made from a specific IP address (e.g. blocking the IP for Y amount of time)
Another more pressing issue I see here is something we call "Internal Path Disclosure" . Exposing internal paths to an attacker could be very useful combined with other type of attacks such as local file inclusions or SQL injections in case of a web application that is also exposed to the internet.
answered 7 hours ago
Jeroen - IT NerdboxJeroen - IT Nerdbox
5,0222 gold badges14 silver badges25 bronze badges
Even if the user has port-forwarded remote-in software, one would have to know the internet address of the computer or the router, of which there's some 4 billion in the IPv4 space, and astronomically more in IPv6. Knowing where to start poking seems a lot harder.
In this statement you assume that an attacker is specifically targeting you. This is often not the case, it is more about having an opportunity.
Specific tooling and/or script that are executed from an attacker's machine will scan the internet for common vulnerabilities in order to gain access to any (random) machine.
Sometimes the tools are a lot more simple and only try to guess usernames and passwords by attacking TCP/22 (SSH) for example.
The logs therefore reveal the account user name to anyone who may
download the log file.
The thing with log files is that not anyone should be able to download it. Only a select amount of people should be able to access these logs. In case anyone with an account on the system has access to this log file, the file permissions are set too lose (world readable).
In a corporate environment log files should not be stored locally but transmitted to a syslog server. Limited users should have access to this syslog server.
Additionally, auditing the system (the logs should also be written to a syslog server) should log anyone that access these files for trace-ability.
And everyone including non-authenticated visitors, can download log
files.
If this is really the case, this is a major design flaw. I would not be too worried about revealing a username (as mentioned above) but rather worry about this. Log files should never be (directly) accessible over the internet, especially unauthenticated users.
Is revealing a PC account user name bad?
In my opinion exposing a username on an operating system is not necessarily a bad thing as long as a strong password policy is in place. This means a minimum of at least twelve characters, using upper and lowercase characters, specials characters and digits. Additionally, this policy should also trigger an action if X amount of failed attempts are made from a specific IP address (e.g. blocking the IP for Y amount of time)
Another more pressing issue I see here is something we call "Internal Path Disclosure" . Exposing internal paths to an attacker could be very useful combined with other type of attacks such as local file inclusions or SQL injections in case of a web application that is also exposed to the internet.
answered 7 hours ago
Jeroen - IT NerdboxJeroen - IT Nerdbox
5,0222 gold badges14 silver badges25 bronze badges
answered 7 hours ago
Jeroen - IT NerdboxJeroen - IT Nerdbox
5,0222 gold badges14 silver badges25 bronze badges
answered 7 hours ago
Jeroen - IT NerdboxJeroen - IT Nerdbox
5,0222 gold badges14 silver badges25 bronze badges
answered 7 hours ago
Jeroen - IT NerdboxJeroen - IT Nerdbox
5,0222 gold badges14 silver badges25 bronze badges
5,0222 gold badges14 silver badges25 bronze badges
add a comment |
add a comment |
Is revealing a PC account user name bad?
In short NO.Why?
- Well for starters your PC username is not a information that is
unique to you.A lot of people in the world can have the same windows
username. - Since its not unique to a person like an email address where two
people cant have the same email address an attacker cant gain much
information or even tell with a certain degree that the username
belongs to you and you alone. - sure if that username of yours is your name itself the attacker
might use that knowledge to further OSINT you but that's just about
it
Googling typically gets me back to the first two of these articles.
These answers show that on a website it may be bad to reveal the
username for the website account, because it gives malicious users
needed information to try to crack an account. The "hacking" is
rendered easier because the bad guy already knows where on the
internet to try the passwords to crack the website account.
That is because a username in a website is unique and furthermore in a brute force attack two pieces of information are needed.An attacker could(if the website allows) try a combination of password since he already knows that the username is valid.
Even if the user has port-forwarded remote-in software, one would have
to know the internet address of the computer or the router, of which
there's some 4 billion in the IPv4 space, and astronomically more in
IPv6. Knowing where to start poking seems a lot harder.
The assumption that you make here is wrong.Never think that by hiding IP address you might be "secure". The concept of defence in depth has to be applied here.The internet is being scanned for vulnerabilities as you read this answer
The logs therefore reveal the account user name to anyone who may
download the log file. And everyone including non-authenticated
visitors, can download log files. Some users obfuscate these path
names because they feel that having their user names out on the web is
bad.
In my opinion there is nothing insecure here,Plus you already say half of the people fake the names.There is nothing substantial to gain here for an attacker except maybe a bit of information about the person but THAT'S ALL!
answered 5 hours ago
Vipul NairVipul Nair
2,1241 gold badge6 silver badges23 bronze badges
add a comment |
Is revealing a PC account user name bad?
In short NO.Why?
- Well for starters your PC username is not a information that is
unique to you.A lot of people in the world can have the same windows
username. - Since its not unique to a person like an email address where two
people cant have the same email address an attacker cant gain much
information or even tell with a certain degree that the username
belongs to you and you alone. - sure if that username of yours is your name itself the attacker
might use that knowledge to further OSINT you but that's just about
it
Googling typically gets me back to the first two of these articles.
These answers show that on a website it may be bad to reveal the
username for the website account, because it gives malicious users
needed information to try to crack an account. The "hacking" is
rendered easier because the bad guy already knows where on the
internet to try the passwords to crack the website account.
That is because a username in a website is unique and furthermore in a brute force attack two pieces of information are needed.An attacker could(if the website allows) try a combination of password since he already knows that the username is valid.
Even if the user has port-forwarded remote-in software, one would have
to know the internet address of the computer or the router, of which
there's some 4 billion in the IPv4 space, and astronomically more in
IPv6. Knowing where to start poking seems a lot harder.
The assumption that you make here is wrong.Never think that by hiding IP address you might be "secure". The concept of defence in depth has to be applied here.The internet is being scanned for vulnerabilities as you read this answer
The logs therefore reveal the account user name to anyone who may
download the log file. And everyone including non-authenticated
visitors, can download log files. Some users obfuscate these path
names because they feel that having their user names out on the web is
bad.
In my opinion there is nothing insecure here,Plus you already say half of the people fake the names.There is nothing substantial to gain here for an attacker except maybe a bit of information about the person but THAT'S ALL!
answered 5 hours ago
Vipul NairVipul Nair
2,1241 gold badge6 silver badges23 bronze badges
add a comment |
Is revealing a PC account user name bad?
In short NO.Why?
- Well for starters your PC username is not a information that is
unique to you.A lot of people in the world can have the same windows
username. - Since its not unique to a person like an email address where two
people cant have the same email address an attacker cant gain much
information or even tell with a certain degree that the username
belongs to you and you alone. - sure if that username of yours is your name itself the attacker
might use that knowledge to further OSINT you but that's just about
it
Googling typically gets me back to the first two of these articles.
These answers show that on a website it may be bad to reveal the
username for the website account, because it gives malicious users
needed information to try to crack an account. The "hacking" is
rendered easier because the bad guy already knows where on the
internet to try the passwords to crack the website account.
That is because a username in a website is unique and furthermore in a brute force attack two pieces of information are needed.An attacker could(if the website allows) try a combination of password since he already knows that the username is valid.
Even if the user has port-forwarded remote-in software, one would have
to know the internet address of the computer or the router, of which
there's some 4 billion in the IPv4 space, and astronomically more in
IPv6. Knowing where to start poking seems a lot harder.
The assumption that you make here is wrong.Never think that by hiding IP address you might be "secure". The concept of defence in depth has to be applied here.The internet is being scanned for vulnerabilities as you read this answer
The logs therefore reveal the account user name to anyone who may
download the log file. And everyone including non-authenticated
visitors, can download log files. Some users obfuscate these path
names because they feel that having their user names out on the web is
bad.
In my opinion there is nothing insecure here,Plus you already say half of the people fake the names.There is nothing substantial to gain here for an attacker except maybe a bit of information about the person but THAT'S ALL!
answered 5 hours ago
Vipul NairVipul Nair
2,1241 gold badge6 silver badges23 bronze badges
Is revealing a PC account user name bad?
In short NO.Why?
- Well for starters your PC username is not a information that is
unique to you.A lot of people in the world can have the same windows
username. - Since its not unique to a person like an email address where two
people cant have the same email address an attacker cant gain much
information or even tell with a certain degree that the username
belongs to you and you alone. - sure if that username of yours is your name itself the attacker
might use that knowledge to further OSINT you but that's just about
it
Googling typically gets me back to the first two of these articles.
These answers show that on a website it may be bad to reveal the
username for the website account, because it gives malicious users
needed information to try to crack an account. The "hacking" is
rendered easier because the bad guy already knows where on the
internet to try the passwords to crack the website account.
That is because a username in a website is unique and furthermore in a brute force attack two pieces of information are needed.An attacker could(if the website allows) try a combination of password since he already knows that the username is valid.
Even if the user has port-forwarded remote-in software, one would have
to know the internet address of the computer or the router, of which
there's some 4 billion in the IPv4 space, and astronomically more in
IPv6. Knowing where to start poking seems a lot harder.
The assumption that you make here is wrong.Never think that by hiding IP address you might be "secure". The concept of defence in depth has to be applied here.The internet is being scanned for vulnerabilities as you read this answer
The logs therefore reveal the account user name to anyone who may
download the log file. And everyone including non-authenticated
visitors, can download log files. Some users obfuscate these path
names because they feel that having their user names out on the web is
bad.
In my opinion there is nothing insecure here,Plus you already say half of the people fake the names.There is nothing substantial to gain here for an attacker except maybe a bit of information about the person but THAT'S ALL!
answered 5 hours ago
Vipul NairVipul Nair
2,1241 gold badge6 silver badges23 bronze badges
answered 5 hours ago
Vipul NairVipul Nair
2,1241 gold badge6 silver badges23 bronze badges
answered 5 hours ago
Vipul NairVipul Nair
2,1241 gold badge6 silver badges23 bronze badges
answered 5 hours ago
Vipul NairVipul Nair
2,1241 gold badge6 silver badges23 bronze badges
2,1241 gold badge6 silver badges23 bronze badges
add a comment |
add a comment |
Triplefault is a new contributor. Be nice, and check out our Code of Conduct.
Triplefault is a new contributor. Be nice, and check out our Code of Conduct.
Triplefault is a new contributor. Be nice, and check out our Code of Conduct.
Triplefault is a new contributor. Be nice, and check out our Code of Conduct.
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f216276%2fis-revealing-a-pc-account-user-name-bad%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
I should clarify that there have been problems with Virtualbox when the username of the account or another folder in the file paths has Unicode/UTF-8 characters (not just plain ASCII) or periods. Eventually the developers fix issues, but they crop up. So we tend to insist on unobfuscated logs. And we get a bit of pushback at times from the obfuscators.
– Triplefault
9 hours ago