DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Force Username for Administration

More
30 Nov 2009 11:46 #59107 by admin
Replied by admin on topic Force Username for Administration

Mordorf wrote: I am a security expert that makes a living out of IT security.



To quote you....perhaps we should be worried now :-)

Mordorf wrote: A non standard username and password IS more secure than just a password.



No it's not.

To be clear we're talking about the same thing:


1. Username : admin Password: u785jgu34%5437

vs.

2. Username : Jimmy Password: u785jgu34

You think that for your router No.2 is more secure, for some reason.

i.e. you think that no matter how complex or long a password on your router is, having a username too is more secure, right ?

By 'more secure' you mean 'easier to crack' right ?

Given suitably strong passwords, and assuming the examples above, both would require the same effort to crack. In fact, as you point out yourself, the fact that 'Jimmy' would be visible on-screen, it has an additional weakness.

The purpose of a username is to differentiate accounts, not add security. That's why your cashcard only has a PIN; the card's magnetic strip or chip is an extra layer.

Do you still disagree (without moving the goalposts) ?

Forum Administrator

Please Log in or Create an account to join the conversation.

More
30 Nov 2009 11:48 #59108 by admin
Replied by admin on topic Force Username for Administration

Spence wrote: That's why with the current crop of Windows Servers, installation asks you for an administrator name and advises you NOT to use Administrator.



That's different; a Windows server has different levels of user authentication and needs to differentite between user accounts. Also, in practice people don't choose strong passwords, so having a different username does make a weak password safer.

Forum Administrator

Please Log in or Create an account to join the conversation.

More
30 Nov 2009 12:15 #59110 by mordorf
Replied by mordorf on topic Force Username for Administration

admin wrote:

Mordorf wrote: I am a security expert that makes a living out of IT security.



To quote you....perhaps we should be worried now :-)

Mordorf wrote: A non standard username and password IS more secure than just a password.



No it's not.

To be clear we're talking about the same thing:


1. Username : admin Password: u785jgu34%5437

vs.

2. Username : Jimmy Password: u785jgu34

You think that for your router No.2 is more secure, for some reason.

i.e. you think that no matter how complex or long a password on your router is, having a username too is more secure, right ?

By 'more secure' you mean 'easier to crack' right ?

Given suitably strong passwords, and assuming the examples above, both would require the same effort to crack. In fact, as you point out yourself, the fact that 'Jimmy' would be visible on-screen, it has an additional weakness.

The purpose of a username is to differentiate accounts, not add security. That's why your cashcard only has a PIN; the card's magnetic strip or chip is an extra layer.

Do you still disagree (without moving the goalposts) ?



You are partially right, a username CAN be used to create an individual user environment but it CAN also be used to add a layer of security.
It stands to reason that two levels of authentication is better than one, you have to crack two separate pieces of information. Like you said Uthf7#>92dG?! is more secure than 12345 and Rosherchelle would be more secure than admin as I doubt you would find Rosherchelle in any dictionary. You could use a username as complex as the password. Two is better than one, FACT. The username must match the password and the password must match the username.
Sorry, but you really haven't won the argument you've just made me even more worried about the advise an Admin of this forum is giving.
Folks, please, PLEASE use a little common sense before commenting on a subject and also before following any guidance. Some people give advice without thinking it through.

As for the cash card, the PIN must match the cards identity which is stored on the magnetic strip or chip, two factor authentication, you need both the card and the PIN to get your cash. I can't just walk into a bank, give my PIN and take out a bundle of cash.

Please Log in or Create an account to join the conversation.

More
30 Nov 2009 12:41 #59111 by admin
Replied by admin on topic Force Username for Administration

Mordorf wrote: It stands to reason that two levels of authentication is better than one, you have to crack two separate pieces of information.



Two pieces of information of length 'n' which have the same properties (for example alpha-numeric passwords) is no more secure than one piece of information of length 2n.

Mordorf wrote: Two is better than one, FACT.

]

That is not an argument!

Mordorf wrote: The username must match the password and the password must match the username.



Go back to the examples I gave; explain why No.2 is more secure than No.1.

Mordorf wrote: you really haven't won the argument you've just made me even more worried about the advise an Admin of this forum is giving.
Folks, please, PLEASE use a little common sense before commenting on a subject and also before following any guidance. Some people give advice without thinking it through.



Now you're just being rude again...and I would give up, but wish anyone following to understand the point.

I'm not asking you to admit you are incompetent (as you have accused me) merely re-assess it and then see that you were mistaken, perhaps just by having misread the point. There's no shame in admitting you mis-read or misunderstood!

To make it easier, here is the example again:


1. Username : admin
Password: u785jgu34%5437

vs.

2. Username : Jimmy (User defined)
Password: u785jgu34

You think that for your router No.2 is more secure.

i.e. you think that no matter how complex or long a password on your router is, having a username too is more secure, right ?

By 'more secure' you mean 'easier to crack' right ?

Given suitably strong passwords, and assuming the examples above, both would require the same effort to crack. In fact, as you point out yourself, the fact that 'Jimmy' would be visible on-screen, it has an additional weakness.



No moving goalposts, no tangents, just address the argument... and then, as begrudgingly as you like, admit that they are qually secure... :-)

Forum Administrator

Please Log in or Create an account to join the conversation.

More
30 Nov 2009 14:08 #59118 by mordorf
Replied by mordorf on topic Force Username for Administration
It is you that is changing your argument which is about a username and password combination being more secure than just a password alone. No one, except you, mentioned anything to do with string length. Obviously a longer, more complex string is going to be harder to crack than a short dictionary word.
If you have just a password you are just performing a dictionary or brute force attack on a single item. You only have to get one item correct where as with a user name AND password you have to get both right TOGETHER AT THE SAME TIME.
If you have a username of ~032dbHtf and a password of 9Jsb~'!$
that would be more secure than just having a password of ~032dbHtf9Jsb~'!$. Both the username and password fields have billions of possible combinations, lets say that each field has 4 billion combinations so with two fields you have 8 billion combinations but that isn't really correct because you have to get both fields right at the same time which would make it massivly more difficult to crack. The possibility is beyond the realms of practicality with today's technology, it would take far too long to crack. It would also take too long to crack a complex password alone but to say that it's just as quick and simple to crack both a username and password is total rubbish. The more complex a string the harder and longer it will take to crack, two or more complex strings together will take many, many, many times longer than a single string alone even if it is as long and complex as both the username and password together..
Please don't try and wriggle out of being wrong by trying to change the question to suit your argument which is NOT about authentication string length and complexity.
Please also note that I do not consider my above examples of username and password to be sufficiently long and complex.

Please Log in or Create an account to join the conversation.

More
30 Nov 2009 16:09 #59122 by admin
Replied by admin on topic Force Username for Administration

Mordorf wrote: No one, except you, mentioned anything to do with string length.



Quite right only me...you chose to ignore it in your answer!

If you have a username of ~032dbHtf and a password of 9Jsb~'!$
that would be more secure than just having a password of ~032dbHtf9Jsb~'!$.



Do you understand probability at ALL ?

lets say that each field has 4 billion combinations so with two fields you have 8 billion combinations



So, you're now moving the goalposts and introducing fixed (limited) length fields ? Yes, sure if you are allowed only 4 characters in a username and 4 in a password, then 4+4 > 4 I have to agree with that complex piece of maths !

Please don't try and wriggle out of being wrong by trying to change the question



I'm not changing my question... I re-quoted it once to avoid you missing it and once again, you have sidestepped it.... What you're doing is obfuscating. Go back to the original question. It's still the same.

The question was whether a username and password is harder to crack than a password alone. Given NO OTHER restrictions or factors (none were stated) then they are equally secure.

Forum Administrator

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami