Is it insecure to not let a user choose their own username, and base the username on a known pattern?What methods can be used to prevent mistyped usernames?Is there more of a security risk by providing an email when creating a new account?Are six digit temporary numerical pins secure enough for online accounts?Is it bad practice to accept phone number or email as username?How to proceed after attempted cracking to accounts?Is it unsecure to let my personal computer user name be known publicly?Amazon 2FA: Compromising the email leads to compromising 2FA, e.g removing the other factor?What is optimal way to connect accounts to 2FA on phone?Is it good or bad practice to allow a user to change their username?Securely storing account credentials/information for critical company services - the bus factor

What is the max number of outlets on a GFCI circuit?

What does Kasparov mean by "I was behind in three and even in one after six games"?

Is it legal to use cash pulled from a credit card to pay the monthly payment on that credit card?

Convert a string like 4h53m12s to a total number of seconds in JavaScript

How can I make sure my players' decisions have consequences?

Why are there not any MRI machines available in Interstellar?

powerhouse of ideas

What are the exact meanings of roll, pitch and yaw?

401(k) investment after being fired. Do I own it?

What to do when you reach a conclusion and find out later on that someone else already did?

Invert Some Switches on a Switchboard

How did C64 games handle music during gameplay?

How to write a sincerely religious protagonist without preaching or affirming or judging their worldview?

How may I concisely assign different values to a variable, depending on another variable?

How can I receive packages while in France?

Trapped in an ocean Temple in Minecraft?

How to get the two pictures aligned

Why are so many countries still in the Commonwealth?

Knights fighting a steam locomotive they believe is a dragon

Timing/Stack question about abilities triggered during combat

Automatic Habit of Meditation

Terence Tao–type books in other fields?

Area of parallelogram = Area of square. Shear transform

How were the LM astronauts supported during the moon landing and ascent? What were the max G's on them during these phases?



Is it insecure to not let a user choose their own username, and base the username on a known pattern?


What methods can be used to prevent mistyped usernames?Is there more of a security risk by providing an email when creating a new account?Are six digit temporary numerical pins secure enough for online accounts?Is it bad practice to accept phone number or email as username?How to proceed after attempted cracking to accounts?Is it unsecure to let my personal computer user name be known publicly?Amazon 2FA: Compromising the email leads to compromising 2FA, e.g removing the other factor?What is optimal way to connect accounts to 2FA on phone?Is it good or bad practice to allow a user to change their username?Securely storing account credentials/information for critical company services - the bus factor






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








2















I have recently changed banks and my new bank has a benefit scheme (discounts etc.) that has its own website and different login details to my online banking (I think the benefits system is administered by a third-party).



They are clearly storing passwords in plain text and there's no ability to change my password to anything of my own choosing. This is the main crux of a complaint I will be making to the ICO on GDPR grounds.



However, the username is also preset and unchangeable. To make matters worse, IMO, is that the username is my bank sort code + account number. I am trying to decide if this is also a security issue.



  1. Whilst my bank account number is not necessarily secret (it is printed on cheques, and I need to give it to people to transfer money to me), it seems needlesly open.


  2. While most other websites also don't allow you to change your username and pre-set your username to your email address, in that scenario I at least have the option to create a throwaway email address, or use a + address.


  3. It limits usernames to a single character set (numeric) which makes it easier for brute force hackers etc.



  4. Someone hacking my account will be able to gain the following information about me:



    • Name

    • Address

    • Sort code

    • Account number

    • Email address

    • Phone number


All that's missing to make the complete set of personal information would be my date of birth, and for all I know they're storing that information about me behind the scenes too.



Should I use the username argument to strengthen my complaint about the password storage?






account-security user-names







share|improve this question






















  • How do you know they are storing password in plaintext?

    – Vipul Nair
    Jul 16 at 14:30











  • @VipulNair because the password was emailed to me.

    – Darren
    Jul 16 at 14:31











  • @Darren they could’ve emailed you your password before hashing and storing it. Still, that’s a bad practice.

    – Andrew Morozko
    Jul 16 at 14:34











  • @AndrewMorozko well I accept that's possible, but seems unlikely. Regardless, the scope for it being intercepted and my inability to change it is concerning.

    – Darren
    Jul 16 at 14:35












  • @Darren true. As for username, they are generally assumed to be non-secret and aren’t considered a part of security architecture. I have no idea about the law, but who knows how courts may think about it.

    – Andrew Morozko
    Jul 16 at 14:38

















2















I have recently changed banks and my new bank has a benefit scheme (discounts etc.) that has its own website and different login details to my online banking (I think the benefits system is administered by a third-party).



They are clearly storing passwords in plain text and there's no ability to change my password to anything of my own choosing. This is the main crux of a complaint I will be making to the ICO on GDPR grounds.



However, the username is also preset and unchangeable. To make matters worse, IMO, is that the username is my bank sort code + account number. I am trying to decide if this is also a security issue.



  1. Whilst my bank account number is not necessarily secret (it is printed on cheques, and I need to give it to people to transfer money to me), it seems needlesly open.


  2. While most other websites also don't allow you to change your username and pre-set your username to your email address, in that scenario I at least have the option to create a throwaway email address, or use a + address.


  3. It limits usernames to a single character set (numeric) which makes it easier for brute force hackers etc.



  4. Someone hacking my account will be able to gain the following information about me:



    • Name

    • Address

    • Sort code

    • Account number

    • Email address

    • Phone number


All that's missing to make the complete set of personal information would be my date of birth, and for all I know they're storing that information about me behind the scenes too.



Should I use the username argument to strengthen my complaint about the password storage?






account-security user-names







share|improve this question






















  • How do you know they are storing password in plaintext?

    – Vipul Nair
    Jul 16 at 14:30











  • @VipulNair because the password was emailed to me.

    – Darren
    Jul 16 at 14:31











  • @Darren they could’ve emailed you your password before hashing and storing it. Still, that’s a bad practice.

    – Andrew Morozko
    Jul 16 at 14:34











  • @AndrewMorozko well I accept that's possible, but seems unlikely. Regardless, the scope for it being intercepted and my inability to change it is concerning.

    – Darren
    Jul 16 at 14:35












  • @Darren true. As for username, they are generally assumed to be non-secret and aren’t considered a part of security architecture. I have no idea about the law, but who knows how courts may think about it.

    – Andrew Morozko
    Jul 16 at 14:38













2












2








2








I have recently changed banks and my new bank has a benefit scheme (discounts etc.) that has its own website and different login details to my online banking (I think the benefits system is administered by a third-party).



They are clearly storing passwords in plain text and there's no ability to change my password to anything of my own choosing. This is the main crux of a complaint I will be making to the ICO on GDPR grounds.



However, the username is also preset and unchangeable. To make matters worse, IMO, is that the username is my bank sort code + account number. I am trying to decide if this is also a security issue.



  1. Whilst my bank account number is not necessarily secret (it is printed on cheques, and I need to give it to people to transfer money to me), it seems needlesly open.


  2. While most other websites also don't allow you to change your username and pre-set your username to your email address, in that scenario I at least have the option to create a throwaway email address, or use a + address.


  3. It limits usernames to a single character set (numeric) which makes it easier for brute force hackers etc.



  4. Someone hacking my account will be able to gain the following information about me:



    • Name

    • Address

    • Sort code

    • Account number

    • Email address

    • Phone number


All that's missing to make the complete set of personal information would be my date of birth, and for all I know they're storing that information about me behind the scenes too.



Should I use the username argument to strengthen my complaint about the password storage?






account-security user-names







share|improve this question














I have recently changed banks and my new bank has a benefit scheme (discounts etc.) that has its own website and different login details to my online banking (I think the benefits system is administered by a third-party).



They are clearly storing passwords in plain text and there's no ability to change my password to anything of my own choosing. This is the main crux of a complaint I will be making to the ICO on GDPR grounds.



However, the username is also preset and unchangeable. To make matters worse, IMO, is that the username is my bank sort code + account number. I am trying to decide if this is also a security issue.



  1. Whilst my bank account number is not necessarily secret (it is printed on cheques, and I need to give it to people to transfer money to me), it seems needlesly open.


  2. While most other websites also don't allow you to change your username and pre-set your username to your email address, in that scenario I at least have the option to create a throwaway email address, or use a + address.


  3. It limits usernames to a single character set (numeric) which makes it easier for brute force hackers etc.



  4. Someone hacking my account will be able to gain the following information about me:



    • Name

    • Address

    • Sort code

    • Account number

    • Email address

    • Phone number


All that's missing to make the complete set of personal information would be my date of birth, and for all I know they're storing that information about me behind the scenes too.



Should I use the username argument to strengthen my complaint about the password storage?






account-security user-names




account-security user-names






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jul 16 at 14:22









DarrenDarren

1456 bronze badges




1456 bronze badges












  • How do you know they are storing password in plaintext?

    – Vipul Nair
    Jul 16 at 14:30











  • @VipulNair because the password was emailed to me.

    – Darren
    Jul 16 at 14:31











  • @Darren they could’ve emailed you your password before hashing and storing it. Still, that’s a bad practice.

    – Andrew Morozko
    Jul 16 at 14:34











  • @AndrewMorozko well I accept that's possible, but seems unlikely. Regardless, the scope for it being intercepted and my inability to change it is concerning.

    – Darren
    Jul 16 at 14:35












  • @Darren true. As for username, they are generally assumed to be non-secret and aren’t considered a part of security architecture. I have no idea about the law, but who knows how courts may think about it.

    – Andrew Morozko
    Jul 16 at 14:38

















  • How do you know they are storing password in plaintext?

    – Vipul Nair
    Jul 16 at 14:30











  • @VipulNair because the password was emailed to me.

    – Darren
    Jul 16 at 14:31











  • @Darren they could’ve emailed you your password before hashing and storing it. Still, that’s a bad practice.

    – Andrew Morozko
    Jul 16 at 14:34











  • @AndrewMorozko well I accept that's possible, but seems unlikely. Regardless, the scope for it being intercepted and my inability to change it is concerning.

    – Darren
    Jul 16 at 14:35












  • @Darren true. As for username, they are generally assumed to be non-secret and aren’t considered a part of security architecture. I have no idea about the law, but who knows how courts may think about it.

    – Andrew Morozko
    Jul 16 at 14:38
















How do you know they are storing password in plaintext?

– Vipul Nair
Jul 16 at 14:30





How do you know they are storing password in plaintext?

– Vipul Nair
Jul 16 at 14:30













@VipulNair because the password was emailed to me.

– Darren
Jul 16 at 14:31





@VipulNair because the password was emailed to me.

– Darren
Jul 16 at 14:31













@Darren they could’ve emailed you your password before hashing and storing it. Still, that’s a bad practice.

– Andrew Morozko
Jul 16 at 14:34





@Darren they could’ve emailed you your password before hashing and storing it. Still, that’s a bad practice.

– Andrew Morozko
Jul 16 at 14:34













@AndrewMorozko well I accept that's possible, but seems unlikely. Regardless, the scope for it being intercepted and my inability to change it is concerning.

– Darren
Jul 16 at 14:35






@AndrewMorozko well I accept that's possible, but seems unlikely. Regardless, the scope for it being intercepted and my inability to change it is concerning.

– Darren
Jul 16 at 14:35














@Darren true. As for username, they are generally assumed to be non-secret and aren’t considered a part of security architecture. I have no idea about the law, but who knows how courts may think about it.

– Andrew Morozko
Jul 16 at 14:38





@Darren true. As for username, they are generally assumed to be non-secret and aren’t considered a part of security architecture. I have no idea about the law, but who knows how courts may think about it.

– Andrew Morozko
Jul 16 at 14:38










1 Answer
1






active

oldest

votes


















5














To address your primary question: a username is largely security neutral. NIST doesn't really have specific guidelines dictating what usernames a system should require. On page 21 of NIST Special Publication 800-63-3 (Section 4):




..the RP (relying party) may request the CSP (Credential Service Provider) assert information about the subscriber, such as verified attribute values, verified attribute references, or pseudonymous identifiers (i.e. your account number). This information assists the RP in making authorization decisions. An RP [..] may only need specific attributes, resulting in the subject retaining some degree of pseudonymity. This privacy enhancing approach is a benefit of separating the strength of the proofing process from that of the authentication process.




From a security perspective: how a username is determined is often the least critical part of the entire authentication design process. Is it ideal for you to have a username that both identifies your bank down to the branch (your sort code) in combination with your account number? No. Is it the ideal way for a relatively large system to assign potentially tens or hundreds of thousands of usernames to unique individuals across multiple geographic locations? Probably, yes.



To address your specific situation: yes - as you have already outlined, it is less secure to have your username be your account number than it would be to set it yourself - but it's also more secure than having firstinitial.lastname or some other similarly structured syntax.



Based on whom you are considering making your complaint to, I am going to assume you are in the UK - so you may be able to find more specific guidance for UK and the EU (while you guys are still in it). By all means - make a complaint if you think it might help the situation, just keep in mind that there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems. In my opinion: being unable to change your password is the biggest red flag in the whole situation - so that might be where you can find some traction.



To address your points:




  1. Whilst my bank account number is not necessarily secret (it is printed on cheques, and I need to give it to people to transfer money to me), it seems needlesly open.



Your bank account number is as open as you allow it to be. Only write checks/give your routing information to trusted parties, secure your mailbox as best as you can, and if all else fails - choose another bank or change your banking practices. If your trust issues conflict with whatever convenience/benefits you are gaining, that is your decision to weigh.




  1. While most other websites also don't allow you to change your username and pre-set your username to your email address, in that scenario I at least have the option to create a throwaway email address, or use a + address.



This depends completely on the organization/company/system you are dealing with - in most cases dealing with money/bills where your account is automatically generated, you won't get to pick.




  1. It limits usernames to a single character set (numeric) which makes it easier for brute force hackers etc.



No one is going to brute force your username. Someone getting into your e-mail (and retrieving your password), gaining access to your [hopefully hashed] password from the benefits system, or logging your password because the computer you use to access the site has been compromised are the real issues here.




  1. Someone hacking my account will be able to gain the following information about me:

    • Name

    • Address

    • Sort code

    • Account number

    • Email address

    • Phone number



If someone is hacking your account specifically (as opposed to passive collection or downloading as many user credentials as they can), you can probably assume that all of those pieces of information are what they are already working with. Most of that (and including your date of birth) will be publicly available anyway, most of it is written directly on your checks, etc.



In conclusion: if you are making a complaint, include everything you can prove - maybe even what you expect is happening on the backend - but don't get your hopes up.






share|improve this answer




















  • 1





    "there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems" Not true. If they are able to give you your password upon request (as opposed to only "at time of setting it"), then they are storing in plain text. Or they're encrypting it, but in security terms that's effectively the same thing. A minor error in an otherwise very good answer.

    – Jim Cullen
    Jul 16 at 23:00











  • Regarding your NIST citation, I believe a different security model is being used. The bank is not the service provider, and the benefits company is not a relying party. It sounds like the bank transmitted the info to the third party and OP now has multiple accounts to maintain. (If I am parsing things correctly).

    – jww
    Jul 16 at 23:16












  • @jww you are correct.

    – Darren
    Jul 17 at 2:01











  • @JimCullen that's true - I was more just going off the wording in the question where there was no indication Darren is able to request his password and get a response. regarding the NIST citation - I couldn't really find any other guidance that did a good job outlining username specific security (other than the google page I linked and maybe some FTC op-eds) - so I really only included it as an "even this really official thing doesn't cover usernames beyond a broad definition" type thing. why wouldn't the bank or benefits company be considered a service provider in this scenario?

    – mael'
    Jul 17 at 4:49













Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f213569%2fis-it-insecure-to-not-let-a-user-choose-their-own-username-and-base-the-usernam%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









5














To address your primary question: a username is largely security neutral. NIST doesn't really have specific guidelines dictating what usernames a system should require. On page 21 of NIST Special Publication 800-63-3 (Section 4):




..the RP (relying party) may request the CSP (Credential Service Provider) assert information about the subscriber, such as verified attribute values, verified attribute references, or pseudonymous identifiers (i.e. your account number). This information assists the RP in making authorization decisions. An RP [..] may only need specific attributes, resulting in the subject retaining some degree of pseudonymity. This privacy enhancing approach is a benefit of separating the strength of the proofing process from that of the authentication process.




From a security perspective: how a username is determined is often the least critical part of the entire authentication design process. Is it ideal for you to have a username that both identifies your bank down to the branch (your sort code) in combination with your account number? No. Is it the ideal way for a relatively large system to assign potentially tens or hundreds of thousands of usernames to unique individuals across multiple geographic locations? Probably, yes.



To address your specific situation: yes - as you have already outlined, it is less secure to have your username be your account number than it would be to set it yourself - but it's also more secure than having firstinitial.lastname or some other similarly structured syntax.



Based on whom you are considering making your complaint to, I am going to assume you are in the UK - so you may be able to find more specific guidance for UK and the EU (while you guys are still in it). By all means - make a complaint if you think it might help the situation, just keep in mind that there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems. In my opinion: being unable to change your password is the biggest red flag in the whole situation - so that might be where you can find some traction.



To address your points:




  1. Whilst my bank account number is not necessarily secret (it is printed on cheques, and I need to give it to people to transfer money to me), it seems needlesly open.



Your bank account number is as open as you allow it to be. Only write checks/give your routing information to trusted parties, secure your mailbox as best as you can, and if all else fails - choose another bank or change your banking practices. If your trust issues conflict with whatever convenience/benefits you are gaining, that is your decision to weigh.




  1. While most other websites also don't allow you to change your username and pre-set your username to your email address, in that scenario I at least have the option to create a throwaway email address, or use a + address.



This depends completely on the organization/company/system you are dealing with - in most cases dealing with money/bills where your account is automatically generated, you won't get to pick.




  1. It limits usernames to a single character set (numeric) which makes it easier for brute force hackers etc.



No one is going to brute force your username. Someone getting into your e-mail (and retrieving your password), gaining access to your [hopefully hashed] password from the benefits system, or logging your password because the computer you use to access the site has been compromised are the real issues here.




  1. Someone hacking my account will be able to gain the following information about me:

    • Name

    • Address

    • Sort code

    • Account number

    • Email address

    • Phone number



If someone is hacking your account specifically (as opposed to passive collection or downloading as many user credentials as they can), you can probably assume that all of those pieces of information are what they are already working with. Most of that (and including your date of birth) will be publicly available anyway, most of it is written directly on your checks, etc.



In conclusion: if you are making a complaint, include everything you can prove - maybe even what you expect is happening on the backend - but don't get your hopes up.






share|improve this answer




















  • 1





    "there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems" Not true. If they are able to give you your password upon request (as opposed to only "at time of setting it"), then they are storing in plain text. Or they're encrypting it, but in security terms that's effectively the same thing. A minor error in an otherwise very good answer.

    – Jim Cullen
    Jul 16 at 23:00











  • Regarding your NIST citation, I believe a different security model is being used. The bank is not the service provider, and the benefits company is not a relying party. It sounds like the bank transmitted the info to the third party and OP now has multiple accounts to maintain. (If I am parsing things correctly).

    – jww
    Jul 16 at 23:16












  • @jww you are correct.

    – Darren
    Jul 17 at 2:01











  • @JimCullen that's true - I was more just going off the wording in the question where there was no indication Darren is able to request his password and get a response. regarding the NIST citation - I couldn't really find any other guidance that did a good job outlining username specific security (other than the google page I linked and maybe some FTC op-eds) - so I really only included it as an "even this really official thing doesn't cover usernames beyond a broad definition" type thing. why wouldn't the bank or benefits company be considered a service provider in this scenario?

    – mael'
    Jul 17 at 4:49















5














To address your primary question: a username is largely security neutral. NIST doesn't really have specific guidelines dictating what usernames a system should require. On page 21 of NIST Special Publication 800-63-3 (Section 4):




..the RP (relying party) may request the CSP (Credential Service Provider) assert information about the subscriber, such as verified attribute values, verified attribute references, or pseudonymous identifiers (i.e. your account number). This information assists the RP in making authorization decisions. An RP [..] may only need specific attributes, resulting in the subject retaining some degree of pseudonymity. This privacy enhancing approach is a benefit of separating the strength of the proofing process from that of the authentication process.




From a security perspective: how a username is determined is often the least critical part of the entire authentication design process. Is it ideal for you to have a username that both identifies your bank down to the branch (your sort code) in combination with your account number? No. Is it the ideal way for a relatively large system to assign potentially tens or hundreds of thousands of usernames to unique individuals across multiple geographic locations? Probably, yes.



To address your specific situation: yes - as you have already outlined, it is less secure to have your username be your account number than it would be to set it yourself - but it's also more secure than having firstinitial.lastname or some other similarly structured syntax.



Based on whom you are considering making your complaint to, I am going to assume you are in the UK - so you may be able to find more specific guidance for UK and the EU (while you guys are still in it). By all means - make a complaint if you think it might help the situation, just keep in mind that there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems. In my opinion: being unable to change your password is the biggest red flag in the whole situation - so that might be where you can find some traction.



To address your points:




  1. Whilst my bank account number is not necessarily secret (it is printed on cheques, and I need to give it to people to transfer money to me), it seems needlesly open.



Your bank account number is as open as you allow it to be. Only write checks/give your routing information to trusted parties, secure your mailbox as best as you can, and if all else fails - choose another bank or change your banking practices. If your trust issues conflict with whatever convenience/benefits you are gaining, that is your decision to weigh.




  1. While most other websites also don't allow you to change your username and pre-set your username to your email address, in that scenario I at least have the option to create a throwaway email address, or use a + address.



This depends completely on the organization/company/system you are dealing with - in most cases dealing with money/bills where your account is automatically generated, you won't get to pick.




  1. It limits usernames to a single character set (numeric) which makes it easier for brute force hackers etc.



No one is going to brute force your username. Someone getting into your e-mail (and retrieving your password), gaining access to your [hopefully hashed] password from the benefits system, or logging your password because the computer you use to access the site has been compromised are the real issues here.




  1. Someone hacking my account will be able to gain the following information about me:

    • Name

    • Address

    • Sort code

    • Account number

    • Email address

    • Phone number



If someone is hacking your account specifically (as opposed to passive collection or downloading as many user credentials as they can), you can probably assume that all of those pieces of information are what they are already working with. Most of that (and including your date of birth) will be publicly available anyway, most of it is written directly on your checks, etc.



In conclusion: if you are making a complaint, include everything you can prove - maybe even what you expect is happening on the backend - but don't get your hopes up.






share|improve this answer




















  • 1





    "there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems" Not true. If they are able to give you your password upon request (as opposed to only "at time of setting it"), then they are storing in plain text. Or they're encrypting it, but in security terms that's effectively the same thing. A minor error in an otherwise very good answer.

    – Jim Cullen
    Jul 16 at 23:00











  • Regarding your NIST citation, I believe a different security model is being used. The bank is not the service provider, and the benefits company is not a relying party. It sounds like the bank transmitted the info to the third party and OP now has multiple accounts to maintain. (If I am parsing things correctly).

    – jww
    Jul 16 at 23:16












  • @jww you are correct.

    – Darren
    Jul 17 at 2:01











  • @JimCullen that's true - I was more just going off the wording in the question where there was no indication Darren is able to request his password and get a response. regarding the NIST citation - I couldn't really find any other guidance that did a good job outlining username specific security (other than the google page I linked and maybe some FTC op-eds) - so I really only included it as an "even this really official thing doesn't cover usernames beyond a broad definition" type thing. why wouldn't the bank or benefits company be considered a service provider in this scenario?

    – mael'
    Jul 17 at 4:49













5












5








5







To address your primary question: a username is largely security neutral. NIST doesn't really have specific guidelines dictating what usernames a system should require. On page 21 of NIST Special Publication 800-63-3 (Section 4):




..the RP (relying party) may request the CSP (Credential Service Provider) assert information about the subscriber, such as verified attribute values, verified attribute references, or pseudonymous identifiers (i.e. your account number). This information assists the RP in making authorization decisions. An RP [..] may only need specific attributes, resulting in the subject retaining some degree of pseudonymity. This privacy enhancing approach is a benefit of separating the strength of the proofing process from that of the authentication process.




From a security perspective: how a username is determined is often the least critical part of the entire authentication design process. Is it ideal for you to have a username that both identifies your bank down to the branch (your sort code) in combination with your account number? No. Is it the ideal way for a relatively large system to assign potentially tens or hundreds of thousands of usernames to unique individuals across multiple geographic locations? Probably, yes.



To address your specific situation: yes - as you have already outlined, it is less secure to have your username be your account number than it would be to set it yourself - but it's also more secure than having firstinitial.lastname or some other similarly structured syntax.



Based on whom you are considering making your complaint to, I am going to assume you are in the UK - so you may be able to find more specific guidance for UK and the EU (while you guys are still in it). By all means - make a complaint if you think it might help the situation, just keep in mind that there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems. In my opinion: being unable to change your password is the biggest red flag in the whole situation - so that might be where you can find some traction.



To address your points:




  1. Whilst my bank account number is not necessarily secret (it is printed on cheques, and I need to give it to people to transfer money to me), it seems needlesly open.



Your bank account number is as open as you allow it to be. Only write checks/give your routing information to trusted parties, secure your mailbox as best as you can, and if all else fails - choose another bank or change your banking practices. If your trust issues conflict with whatever convenience/benefits you are gaining, that is your decision to weigh.




  1. While most other websites also don't allow you to change your username and pre-set your username to your email address, in that scenario I at least have the option to create a throwaway email address, or use a + address.



This depends completely on the organization/company/system you are dealing with - in most cases dealing with money/bills where your account is automatically generated, you won't get to pick.




  1. It limits usernames to a single character set (numeric) which makes it easier for brute force hackers etc.



No one is going to brute force your username. Someone getting into your e-mail (and retrieving your password), gaining access to your [hopefully hashed] password from the benefits system, or logging your password because the computer you use to access the site has been compromised are the real issues here.




  1. Someone hacking my account will be able to gain the following information about me:

    • Name

    • Address

    • Sort code

    • Account number

    • Email address

    • Phone number



If someone is hacking your account specifically (as opposed to passive collection or downloading as many user credentials as they can), you can probably assume that all of those pieces of information are what they are already working with. Most of that (and including your date of birth) will be publicly available anyway, most of it is written directly on your checks, etc.



In conclusion: if you are making a complaint, include everything you can prove - maybe even what you expect is happening on the backend - but don't get your hopes up.






share|improve this answer















To address your primary question: a username is largely security neutral. NIST doesn't really have specific guidelines dictating what usernames a system should require. On page 21 of NIST Special Publication 800-63-3 (Section 4):




..the RP (relying party) may request the CSP (Credential Service Provider) assert information about the subscriber, such as verified attribute values, verified attribute references, or pseudonymous identifiers (i.e. your account number). This information assists the RP in making authorization decisions. An RP [..] may only need specific attributes, resulting in the subject retaining some degree of pseudonymity. This privacy enhancing approach is a benefit of separating the strength of the proofing process from that of the authentication process.




From a security perspective: how a username is determined is often the least critical part of the entire authentication design process. Is it ideal for you to have a username that both identifies your bank down to the branch (your sort code) in combination with your account number? No. Is it the ideal way for a relatively large system to assign potentially tens or hundreds of thousands of usernames to unique individuals across multiple geographic locations? Probably, yes.



To address your specific situation: yes - as you have already outlined, it is less secure to have your username be your account number than it would be to set it yourself - but it's also more secure than having firstinitial.lastname or some other similarly structured syntax.



Based on whom you are considering making your complaint to, I am going to assume you are in the UK - so you may be able to find more specific guidance for UK and the EU (while you guys are still in it). By all means - make a complaint if you think it might help the situation, just keep in mind that there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems. In my opinion: being unable to change your password is the biggest red flag in the whole situation - so that might be where you can find some traction.



To address your points:




  1. Whilst my bank account number is not necessarily secret (it is printed on cheques, and I need to give it to people to transfer money to me), it seems needlesly open.



Your bank account number is as open as you allow it to be. Only write checks/give your routing information to trusted parties, secure your mailbox as best as you can, and if all else fails - choose another bank or change your banking practices. If your trust issues conflict with whatever convenience/benefits you are gaining, that is your decision to weigh.




  1. While most other websites also don't allow you to change your username and pre-set your username to your email address, in that scenario I at least have the option to create a throwaway email address, or use a + address.



This depends completely on the organization/company/system you are dealing with - in most cases dealing with money/bills where your account is automatically generated, you won't get to pick.




  1. It limits usernames to a single character set (numeric) which makes it easier for brute force hackers etc.



No one is going to brute force your username. Someone getting into your e-mail (and retrieving your password), gaining access to your [hopefully hashed] password from the benefits system, or logging your password because the computer you use to access the site has been compromised are the real issues here.




  1. Someone hacking my account will be able to gain the following information about me:

    • Name

    • Address

    • Sort code

    • Account number

    • Email address

    • Phone number



If someone is hacking your account specifically (as opposed to passive collection or downloading as many user credentials as they can), you can probably assume that all of those pieces of information are what they are already working with. Most of that (and including your date of birth) will be publicly available anyway, most of it is written directly on your checks, etc.



In conclusion: if you are making a complaint, include everything you can prove - maybe even what you expect is happening on the backend - but don't get your hopes up.







share|improve this answer














share|improve this answer



share|improve this answer








edited Jul 16 at 17:12

























answered Jul 16 at 16:54









mael'mael'

2017 bronze badges




2017 bronze badges







  • 1





    "there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems" Not true. If they are able to give you your password upon request (as opposed to only "at time of setting it"), then they are storing in plain text. Or they're encrypting it, but in security terms that's effectively the same thing. A minor error in an otherwise very good answer.

    – Jim Cullen
    Jul 16 at 23:00











  • Regarding your NIST citation, I believe a different security model is being used. The bank is not the service provider, and the benefits company is not a relying party. It sounds like the bank transmitted the info to the third party and OP now has multiple accounts to maintain. (If I am parsing things correctly).

    – jww
    Jul 16 at 23:16












  • @jww you are correct.

    – Darren
    Jul 17 at 2:01











  • @JimCullen that's true - I was more just going off the wording in the question where there was no indication Darren is able to request his password and get a response. regarding the NIST citation - I couldn't really find any other guidance that did a good job outlining username specific security (other than the google page I linked and maybe some FTC op-eds) - so I really only included it as an "even this really official thing doesn't cover usernames beyond a broad definition" type thing. why wouldn't the bank or benefits company be considered a service provider in this scenario?

    – mael'
    Jul 17 at 4:49












  • 1





    "there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems" Not true. If they are able to give you your password upon request (as opposed to only "at time of setting it"), then they are storing in plain text. Or they're encrypting it, but in security terms that's effectively the same thing. A minor error in an otherwise very good answer.

    – Jim Cullen
    Jul 16 at 23:00











  • Regarding your NIST citation, I believe a different security model is being used. The bank is not the service provider, and the benefits company is not a relying party. It sounds like the bank transmitted the info to the third party and OP now has multiple accounts to maintain. (If I am parsing things correctly).

    – jww
    Jul 16 at 23:16












  • @jww you are correct.

    – Darren
    Jul 17 at 2:01











  • @JimCullen that's true - I was more just going off the wording in the question where there was no indication Darren is able to request his password and get a response. regarding the NIST citation - I couldn't really find any other guidance that did a good job outlining username specific security (other than the google page I linked and maybe some FTC op-eds) - so I really only included it as an "even this really official thing doesn't cover usernames beyond a broad definition" type thing. why wouldn't the bank or benefits company be considered a service provider in this scenario?

    – mael'
    Jul 17 at 4:49







1




1





"there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems" Not true. If they are able to give you your password upon request (as opposed to only "at time of setting it"), then they are storing in plain text. Or they're encrypting it, but in security terms that's effectively the same thing. A minor error in an otherwise very good answer.

– Jim Cullen
Jul 16 at 23:00





"there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems" Not true. If they are able to give you your password upon request (as opposed to only "at time of setting it"), then they are storing in plain text. Or they're encrypting it, but in security terms that's effectively the same thing. A minor error in an otherwise very good answer.

– Jim Cullen
Jul 16 at 23:00













Regarding your NIST citation, I believe a different security model is being used. The bank is not the service provider, and the benefits company is not a relying party. It sounds like the bank transmitted the info to the third party and OP now has multiple accounts to maintain. (If I am parsing things correctly).

– jww
Jul 16 at 23:16






Regarding your NIST citation, I believe a different security model is being used. The bank is not the service provider, and the benefits company is not a relying party. It sounds like the bank transmitted the info to the third party and OP now has multiple accounts to maintain. (If I am parsing things correctly).

– jww
Jul 16 at 23:16














@jww you are correct.

– Darren
Jul 17 at 2:01





@jww you are correct.

– Darren
Jul 17 at 2:01













@JimCullen that's true - I was more just going off the wording in the question where there was no indication Darren is able to request his password and get a response. regarding the NIST citation - I couldn't really find any other guidance that did a good job outlining username specific security (other than the google page I linked and maybe some FTC op-eds) - so I really only included it as an "even this really official thing doesn't cover usernames beyond a broad definition" type thing. why wouldn't the bank or benefits company be considered a service provider in this scenario?

– mael'
Jul 17 at 4:49





@JimCullen that's true - I was more just going off the wording in the question where there was no indication Darren is able to request his password and get a response. regarding the NIST citation - I couldn't really find any other guidance that did a good job outlining username specific security (other than the google page I linked and maybe some FTC op-eds) - so I really only included it as an "even this really official thing doesn't cover usernames beyond a broad definition" type thing. why wouldn't the bank or benefits company be considered a service provider in this scenario?

– mael'
Jul 17 at 4:49

















draft saved

draft discarded
















































Thanks for contributing an answer to Information Security Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f213569%2fis-it-insecure-to-not-let-a-user-choose-their-own-username-and-base-the-usernam%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Get product attribute by attribute group code in magento 2get product attribute by product attribute group in magento 2Magento 2 Log Bundle Product Data in List Page?How to get all product attribute of a attribute group of Default attribute set?Magento 2.1 Create a filter in the product grid by new attributeMagento 2 : Get Product Attribute values By GroupMagento 2 How to get all existing values for one attributeMagento 2 get custom attribute of a single product inside a pluginMagento 2.3 How to get all the Multi Source Inventory (MSI) locations collection in custom module?Magento2: how to develop rest API to get new productsGet product attribute by attribute group code ( [attribute_group_code] ) in magento 2

Image
Is it safe to keep the GPU on 100% utilization for a very long time? What happens when the drag force exceeds the weight of an object falling into earth? shebang or not shebang The unknown and unexplained in science fiction Are wands in any sort of book going to be too much like Harry Potter? How do I minimise waste on a flight? Concatenate all values of the same XML element using XPath/XQuery Did any early RISC OS precursor run on the BBC Micro? Single supply non-inverting amplifier using op amp Employee is self-centered and affects the team negatively Why always 4...dxc6 and not 4...bxc6 in the Ruy Lopez Exchange? TikZ/PGF draw algorithm Learning how to read schematics, questions about fractional voltage in schematic How can I test a shell script in a "safe environment" to avoid harm to my computer? A♭ major 9th chord in Bach is unexpectedly dissonant/jazzy What detail can Hubble see on Mars? Drug Testing and Prescribed Medications Justific
Read more

Category:9 (number) SubcategoriesMedia in category "9 (number)"Navigation menuUpload mediaGND ID: 4485639-8Library of Congress authority ID: sh85091979ReasonatorScholiaStatistics

Image
Natural numbersSquare numbersCategories requiring diffusion Help Category:9 (number) From Wikimedia Commons, the free media repository Jump to navigation Jump to search number: 9 (nine) instance of: natural number, deficient number, square number, composite number, odd number, centered cube number, centered octagonal number and nonagonal number other integers: -8 • -4 • -2 • -1 • 0 • 1 • 2 • 3 • 4 • 5 • 6 • 7 • 8 • 9 • 10 • 11 • 12 • 13 • 14 • 15 • 16 • 17 • 18 • 19 • 20 • 21 • 22 • 23 • 24 • 25 • 26 • 27 • 28 • 29 -20 • 0 • 10 • 20 • 30 • 40 • 50 • 60 • 70 • 80 • 90 • 100 • 110 • 120 • 130 • 140 • 150 • 160 • 170 • 180 • 190 • 200 This category has become too crowded. It should list very few images directly. Files should be moved to subcategories where appropriate. New subcategories can be created. Some files need to be moved elsewhere. Search for more categories: fulltext, Main Page, topics, meta categories. Please remove or replace this tag
Read more

Magento 2.3: How do i solve this, Not registered handle, on custom form?How can i rewrite TierPrice Block in Magento2magento 2 captcha not rendering if I override layout xmlmain.CRITICAL: Plugin class doesn't existMagento 2 : Problem while adding custom button order view page?Magento 2.2.5: Overriding Admin Controller sales/orderMagento 2.2.5: Add, Update and Delete existing products Custom OptionsMagento 2.3 : File Upload issue in UI Component FormMagento2 Not registered handleHow to configured Form Builder Js in my custom magento 2.3.0 module?Magento 2.3. How to create image upload field in an admin form

Image
2000s (or earlier) cyberpunk novel: dystopia, mega storm, omnipresent noise How important is it for multiple POVs to run chronologically? PhD: When to quit and move on? Motorcyle Chain needs to be cleaned every time you lube it? Why do most airliners have underwing engines, while business jets have rear-mounted engines? How to supply water to a coastal desert town with no rain and no freshwater aquifers? How come a desk dictionary be abridged? What's the big deal about the Nazgûl losing their horses? Is this standard Japanese employment negotiations, or am I missing something? Should I increase my 401(k) contributions, or increase my mortgage payments Is there a way to change the aspect ratio of a DNG file? Why is there paternal, for fatherly, fraternal, for brotherly, but no similar word for sons? What can a novel do that film and TV cannot? Is conquering your neighbors to fight a greater enemy a valid strategy? /api/sitecore is not working in CD server
Read more