Is it insecure to not let a user choose their own username, and base the username on a known pattern?What methods can be used to prevent mistyped usernames?Is there more of a security risk by providing an email when creating a new account?Are six digit temporary numerical pins secure enough for online accounts?Is it bad practice to accept phone number or email as username?How to proceed after attempted cracking to accounts?Is it unsecure to let my personal computer user name be known publicly?Amazon 2FA: Compromising the email leads to compromising 2FA, e.g removing the other factor?What is optimal way to connect accounts to 2FA on phone?Is it good or bad practice to allow a user to change their username?Securely storing account credentials/information for critical company services - the bus factor
What is the max number of outlets on a GFCI circuit?
What does Kasparov mean by "I was behind in three and even in one after six games"?
Is it legal to use cash pulled from a credit card to pay the monthly payment on that credit card?
Convert a string like 4h53m12s to a total number of seconds in JavaScript
How can I make sure my players' decisions have consequences?
Why are there not any MRI machines available in Interstellar?
powerhouse of ideas
What are the exact meanings of roll, pitch and yaw?
401(k) investment after being fired. Do I own it?
What to do when you reach a conclusion and find out later on that someone else already did?
Invert Some Switches on a Switchboard
How did C64 games handle music during gameplay?
How to write a sincerely religious protagonist without preaching or affirming or judging their worldview?
How may I concisely assign different values to a variable, depending on another variable?
How can I receive packages while in France?
Trapped in an ocean Temple in Minecraft?
How to get the two pictures aligned
Why are so many countries still in the Commonwealth?
Knights fighting a steam locomotive they believe is a dragon
Timing/Stack question about abilities triggered during combat
Automatic Habit of Meditation
Terence Tao–type books in other fields?
Area of parallelogram = Area of square. Shear transform
How were the LM astronauts supported during the moon landing and ascent? What were the max G's on them during these phases?
Is it insecure to not let a user choose their own username, and base the username on a known pattern?
What methods can be used to prevent mistyped usernames?Is there more of a security risk by providing an email when creating a new account?Are six digit temporary numerical pins secure enough for online accounts?Is it bad practice to accept phone number or email as username?How to proceed after attempted cracking to accounts?Is it unsecure to let my personal computer user name be known publicly?Amazon 2FA: Compromising the email leads to compromising 2FA, e.g removing the other factor?What is optimal way to connect accounts to 2FA on phone?Is it good or bad practice to allow a user to change their username?Securely storing account credentials/information for critical company services - the bus factor
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
I have recently changed banks and my new bank has a benefit scheme (discounts etc.) that has its own website and different login details to my online banking (I think the benefits system is administered by a third-party).
They are clearly storing passwords in plain text and there's no ability to change my password to anything of my own choosing. This is the main crux of a complaint I will be making to the ICO on GDPR grounds.
However, the username is also preset and unchangeable. To make matters worse, IMO, is that the username is my bank sort code + account number. I am trying to decide if this is also a security issue.
Whilst my bank account number is not necessarily secret (it is printed on cheques, and I need to give it to people to transfer money to me), it seems needlesly open.
While most other websites also don't allow you to change your username and pre-set your username to your email address, in that scenario I at least have the option to create a throwaway email address, or use a + address.
It limits usernames to a single character set (numeric) which makes it easier for brute force hackers etc.
Someone hacking my account will be able to gain the following information about me:
- Name
- Address
- Sort code
- Account number
- Email address
- Phone number
All that's missing to make the complete set of personal information would be my date of birth, and for all I know they're storing that information about me behind the scenes too.
Should I use the username argument to strengthen my complaint about the password storage?
account-security user-names
|
show 3 more comments
I have recently changed banks and my new bank has a benefit scheme (discounts etc.) that has its own website and different login details to my online banking (I think the benefits system is administered by a third-party).
They are clearly storing passwords in plain text and there's no ability to change my password to anything of my own choosing. This is the main crux of a complaint I will be making to the ICO on GDPR grounds.
However, the username is also preset and unchangeable. To make matters worse, IMO, is that the username is my bank sort code + account number. I am trying to decide if this is also a security issue.
Whilst my bank account number is not necessarily secret (it is printed on cheques, and I need to give it to people to transfer money to me), it seems needlesly open.
While most other websites also don't allow you to change your username and pre-set your username to your email address, in that scenario I at least have the option to create a throwaway email address, or use a + address.
It limits usernames to a single character set (numeric) which makes it easier for brute force hackers etc.
Someone hacking my account will be able to gain the following information about me:
- Name
- Address
- Sort code
- Account number
- Email address
- Phone number
All that's missing to make the complete set of personal information would be my date of birth, and for all I know they're storing that information about me behind the scenes too.
Should I use the username argument to strengthen my complaint about the password storage?
account-security user-names
How do you know they are storing password in plaintext?
– Vipul Nair
Jul 16 at 14:30
@VipulNair because the password was emailed to me.
– Darren
Jul 16 at 14:31
@Darren they could’ve emailed you your password before hashing and storing it. Still, that’s a bad practice.
– Andrew Morozko
Jul 16 at 14:34
@AndrewMorozko well I accept that's possible, but seems unlikely. Regardless, the scope for it being intercepted and my inability to change it is concerning.
– Darren
Jul 16 at 14:35
@Darren true. As for username, they are generally assumed to be non-secret and aren’t considered a part of security architecture. I have no idea about the law, but who knows how courts may think about it.
– Andrew Morozko
Jul 16 at 14:38
|
show 3 more comments
I have recently changed banks and my new bank has a benefit scheme (discounts etc.) that has its own website and different login details to my online banking (I think the benefits system is administered by a third-party).
They are clearly storing passwords in plain text and there's no ability to change my password to anything of my own choosing. This is the main crux of a complaint I will be making to the ICO on GDPR grounds.
However, the username is also preset and unchangeable. To make matters worse, IMO, is that the username is my bank sort code + account number. I am trying to decide if this is also a security issue.
Whilst my bank account number is not necessarily secret (it is printed on cheques, and I need to give it to people to transfer money to me), it seems needlesly open.
While most other websites also don't allow you to change your username and pre-set your username to your email address, in that scenario I at least have the option to create a throwaway email address, or use a + address.
It limits usernames to a single character set (numeric) which makes it easier for brute force hackers etc.
Someone hacking my account will be able to gain the following information about me:
- Name
- Address
- Sort code
- Account number
- Email address
- Phone number
All that's missing to make the complete set of personal information would be my date of birth, and for all I know they're storing that information about me behind the scenes too.
Should I use the username argument to strengthen my complaint about the password storage?
account-security user-names
I have recently changed banks and my new bank has a benefit scheme (discounts etc.) that has its own website and different login details to my online banking (I think the benefits system is administered by a third-party).
They are clearly storing passwords in plain text and there's no ability to change my password to anything of my own choosing. This is the main crux of a complaint I will be making to the ICO on GDPR grounds.
However, the username is also preset and unchangeable. To make matters worse, IMO, is that the username is my bank sort code + account number. I am trying to decide if this is also a security issue.
Whilst my bank account number is not necessarily secret (it is printed on cheques, and I need to give it to people to transfer money to me), it seems needlesly open.
While most other websites also don't allow you to change your username and pre-set your username to your email address, in that scenario I at least have the option to create a throwaway email address, or use a + address.
It limits usernames to a single character set (numeric) which makes it easier for brute force hackers etc.
Someone hacking my account will be able to gain the following information about me:
- Name
- Address
- Sort code
- Account number
- Email address
- Phone number
All that's missing to make the complete set of personal information would be my date of birth, and for all I know they're storing that information about me behind the scenes too.
Should I use the username argument to strengthen my complaint about the password storage?
account-security user-names
account-security user-names
asked Jul 16 at 14:22
DarrenDarren
1456 bronze badges
1456 bronze badges
How do you know they are storing password in plaintext?
– Vipul Nair
Jul 16 at 14:30
@VipulNair because the password was emailed to me.
– Darren
Jul 16 at 14:31
@Darren they could’ve emailed you your password before hashing and storing it. Still, that’s a bad practice.
– Andrew Morozko
Jul 16 at 14:34
@AndrewMorozko well I accept that's possible, but seems unlikely. Regardless, the scope for it being intercepted and my inability to change it is concerning.
– Darren
Jul 16 at 14:35
@Darren true. As for username, they are generally assumed to be non-secret and aren’t considered a part of security architecture. I have no idea about the law, but who knows how courts may think about it.
– Andrew Morozko
Jul 16 at 14:38
|
show 3 more comments
How do you know they are storing password in plaintext?
– Vipul Nair
Jul 16 at 14:30
@VipulNair because the password was emailed to me.
– Darren
Jul 16 at 14:31
@Darren they could’ve emailed you your password before hashing and storing it. Still, that’s a bad practice.
– Andrew Morozko
Jul 16 at 14:34
@AndrewMorozko well I accept that's possible, but seems unlikely. Regardless, the scope for it being intercepted and my inability to change it is concerning.
– Darren
Jul 16 at 14:35
@Darren true. As for username, they are generally assumed to be non-secret and aren’t considered a part of security architecture. I have no idea about the law, but who knows how courts may think about it.
– Andrew Morozko
Jul 16 at 14:38
How do you know they are storing password in plaintext?
– Vipul Nair
Jul 16 at 14:30
How do you know they are storing password in plaintext?
– Vipul Nair
Jul 16 at 14:30
@VipulNair because the password was emailed to me.
– Darren
Jul 16 at 14:31
@VipulNair because the password was emailed to me.
– Darren
Jul 16 at 14:31
@Darren they could’ve emailed you your password before hashing and storing it. Still, that’s a bad practice.
– Andrew Morozko
Jul 16 at 14:34
@Darren they could’ve emailed you your password before hashing and storing it. Still, that’s a bad practice.
– Andrew Morozko
Jul 16 at 14:34
@AndrewMorozko well I accept that's possible, but seems unlikely. Regardless, the scope for it being intercepted and my inability to change it is concerning.
– Darren
Jul 16 at 14:35
@AndrewMorozko well I accept that's possible, but seems unlikely. Regardless, the scope for it being intercepted and my inability to change it is concerning.
– Darren
Jul 16 at 14:35
@Darren true. As for username, they are generally assumed to be non-secret and aren’t considered a part of security architecture. I have no idea about the law, but who knows how courts may think about it.
– Andrew Morozko
Jul 16 at 14:38
@Darren true. As for username, they are generally assumed to be non-secret and aren’t considered a part of security architecture. I have no idea about the law, but who knows how courts may think about it.
– Andrew Morozko
Jul 16 at 14:38
|
show 3 more comments
1 Answer
1
active
oldest
votes
To address your primary question: a username is largely security neutral. NIST doesn't really have specific guidelines dictating what usernames a system should require. On page 21 of NIST Special Publication 800-63-3 (Section 4):
..the RP (relying party) may request the CSP (Credential Service Provider) assert information about the subscriber, such as verified attribute values, verified attribute references, or pseudonymous identifiers (i.e. your account number). This information assists the RP in making authorization decisions. An RP [..] may only need specific attributes, resulting in the subject retaining some degree of pseudonymity. This privacy enhancing approach is a benefit of separating the strength of the proofing process from that of the authentication process.
From a security perspective: how a username is determined is often the least critical part of the entire authentication design process. Is it ideal for you to have a username that both identifies your bank down to the branch (your sort code) in combination with your account number? No. Is it the ideal way for a relatively large system to assign potentially tens or hundreds of thousands of usernames to unique individuals across multiple geographic locations? Probably, yes.
To address your specific situation: yes - as you have already outlined, it is less secure to have your username be your account number than it would be to set it yourself - but it's also more secure than having firstinitial.lastname or some other similarly structured syntax.
Based on whom you are considering making your complaint to, I am going to assume you are in the UK - so you may be able to find more specific guidance for UK and the EU (while you guys are still in it). By all means - make a complaint if you think it might help the situation, just keep in mind that there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems. In my opinion: being unable to change your password is the biggest red flag in the whole situation - so that might be where you can find some traction.
To address your points:
- Whilst my bank account number is not necessarily secret (it is printed on cheques, and I need to give it to people to transfer money to me), it seems needlesly open.
Your bank account number is as open as you allow it to be. Only write checks/give your routing information to trusted parties, secure your mailbox as best as you can, and if all else fails - choose another bank or change your banking practices. If your trust issues conflict with whatever convenience/benefits you are gaining, that is your decision to weigh.
- While most other websites also don't allow you to change your username and pre-set your username to your email address, in that scenario I at least have the option to create a throwaway email address, or use a + address.
This depends completely on the organization/company/system you are dealing with - in most cases dealing with money/bills where your account is automatically generated, you won't get to pick.
- It limits usernames to a single character set (numeric) which makes it easier for brute force hackers etc.
No one is going to brute force your username. Someone getting into your e-mail (and retrieving your password), gaining access to your [hopefully hashed] password from the benefits system, or logging your password because the computer you use to access the site has been compromised are the real issues here.
- Someone hacking my account will be able to gain the following information about me:
• Name
• Address
• Sort code
• Account number
• Email address
• Phone number
If someone is hacking your account specifically (as opposed to passive collection or downloading as many user credentials as they can), you can probably assume that all of those pieces of information are what they are already working with. Most of that (and including your date of birth) will be publicly available anyway, most of it is written directly on your checks, etc.
In conclusion: if you are making a complaint, include everything you can prove - maybe even what you expect is happening on the backend - but don't get your hopes up.
1
"there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems" Not true. If they are able to give you your password upon request (as opposed to only "at time of setting it"), then they are storing in plain text. Or they're encrypting it, but in security terms that's effectively the same thing. A minor error in an otherwise very good answer.
– Jim Cullen
Jul 16 at 23:00
Regarding your NIST citation, I believe a different security model is being used. The bank is not the service provider, and the benefits company is not a relying party. It sounds like the bank transmitted the info to the third party and OP now has multiple accounts to maintain. (If I am parsing things correctly).
– jww
Jul 16 at 23:16
@jww you are correct.
– Darren
Jul 17 at 2:01
@JimCullen that's true - I was more just going off the wording in the question where there was no indication Darren is able to request his password and get a response. regarding the NIST citation - I couldn't really find any other guidance that did a good job outlining username specific security (other than the google page I linked and maybe some FTC op-eds) - so I really only included it as an "even this really official thing doesn't cover usernames beyond a broad definition" type thing. why wouldn't the bank or benefits company be considered a service provider in this scenario?
– mael'
Jul 17 at 4:49
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f213569%2fis-it-insecure-to-not-let-a-user-choose-their-own-username-and-base-the-usernam%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
To address your primary question: a username is largely security neutral. NIST doesn't really have specific guidelines dictating what usernames a system should require. On page 21 of NIST Special Publication 800-63-3 (Section 4):
..the RP (relying party) may request the CSP (Credential Service Provider) assert information about the subscriber, such as verified attribute values, verified attribute references, or pseudonymous identifiers (i.e. your account number). This information assists the RP in making authorization decisions. An RP [..] may only need specific attributes, resulting in the subject retaining some degree of pseudonymity. This privacy enhancing approach is a benefit of separating the strength of the proofing process from that of the authentication process.
From a security perspective: how a username is determined is often the least critical part of the entire authentication design process. Is it ideal for you to have a username that both identifies your bank down to the branch (your sort code) in combination with your account number? No. Is it the ideal way for a relatively large system to assign potentially tens or hundreds of thousands of usernames to unique individuals across multiple geographic locations? Probably, yes.
To address your specific situation: yes - as you have already outlined, it is less secure to have your username be your account number than it would be to set it yourself - but it's also more secure than having firstinitial.lastname or some other similarly structured syntax.
Based on whom you are considering making your complaint to, I am going to assume you are in the UK - so you may be able to find more specific guidance for UK and the EU (while you guys are still in it). By all means - make a complaint if you think it might help the situation, just keep in mind that there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems. In my opinion: being unable to change your password is the biggest red flag in the whole situation - so that might be where you can find some traction.
To address your points:
- Whilst my bank account number is not necessarily secret (it is printed on cheques, and I need to give it to people to transfer money to me), it seems needlesly open.
Your bank account number is as open as you allow it to be. Only write checks/give your routing information to trusted parties, secure your mailbox as best as you can, and if all else fails - choose another bank or change your banking practices. If your trust issues conflict with whatever convenience/benefits you are gaining, that is your decision to weigh.
- While most other websites also don't allow you to change your username and pre-set your username to your email address, in that scenario I at least have the option to create a throwaway email address, or use a + address.
This depends completely on the organization/company/system you are dealing with - in most cases dealing with money/bills where your account is automatically generated, you won't get to pick.
- It limits usernames to a single character set (numeric) which makes it easier for brute force hackers etc.
No one is going to brute force your username. Someone getting into your e-mail (and retrieving your password), gaining access to your [hopefully hashed] password from the benefits system, or logging your password because the computer you use to access the site has been compromised are the real issues here.
- Someone hacking my account will be able to gain the following information about me:
• Name
• Address
• Sort code
• Account number
• Email address
• Phone number
If someone is hacking your account specifically (as opposed to passive collection or downloading as many user credentials as they can), you can probably assume that all of those pieces of information are what they are already working with. Most of that (and including your date of birth) will be publicly available anyway, most of it is written directly on your checks, etc.
In conclusion: if you are making a complaint, include everything you can prove - maybe even what you expect is happening on the backend - but don't get your hopes up.
1
"there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems" Not true. If they are able to give you your password upon request (as opposed to only "at time of setting it"), then they are storing in plain text. Or they're encrypting it, but in security terms that's effectively the same thing. A minor error in an otherwise very good answer.
– Jim Cullen
Jul 16 at 23:00
Regarding your NIST citation, I believe a different security model is being used. The bank is not the service provider, and the benefits company is not a relying party. It sounds like the bank transmitted the info to the third party and OP now has multiple accounts to maintain. (If I am parsing things correctly).
– jww
Jul 16 at 23:16
@jww you are correct.
– Darren
Jul 17 at 2:01
@JimCullen that's true - I was more just going off the wording in the question where there was no indication Darren is able to request his password and get a response. regarding the NIST citation - I couldn't really find any other guidance that did a good job outlining username specific security (other than the google page I linked and maybe some FTC op-eds) - so I really only included it as an "even this really official thing doesn't cover usernames beyond a broad definition" type thing. why wouldn't the bank or benefits company be considered a service provider in this scenario?
– mael'
Jul 17 at 4:49
add a comment |
To address your primary question: a username is largely security neutral. NIST doesn't really have specific guidelines dictating what usernames a system should require. On page 21 of NIST Special Publication 800-63-3 (Section 4):
..the RP (relying party) may request the CSP (Credential Service Provider) assert information about the subscriber, such as verified attribute values, verified attribute references, or pseudonymous identifiers (i.e. your account number). This information assists the RP in making authorization decisions. An RP [..] may only need specific attributes, resulting in the subject retaining some degree of pseudonymity. This privacy enhancing approach is a benefit of separating the strength of the proofing process from that of the authentication process.
From a security perspective: how a username is determined is often the least critical part of the entire authentication design process. Is it ideal for you to have a username that both identifies your bank down to the branch (your sort code) in combination with your account number? No. Is it the ideal way for a relatively large system to assign potentially tens or hundreds of thousands of usernames to unique individuals across multiple geographic locations? Probably, yes.
To address your specific situation: yes - as you have already outlined, it is less secure to have your username be your account number than it would be to set it yourself - but it's also more secure than having firstinitial.lastname or some other similarly structured syntax.
Based on whom you are considering making your complaint to, I am going to assume you are in the UK - so you may be able to find more specific guidance for UK and the EU (while you guys are still in it). By all means - make a complaint if you think it might help the situation, just keep in mind that there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems. In my opinion: being unable to change your password is the biggest red flag in the whole situation - so that might be where you can find some traction.
To address your points:
- Whilst my bank account number is not necessarily secret (it is printed on cheques, and I need to give it to people to transfer money to me), it seems needlesly open.
Your bank account number is as open as you allow it to be. Only write checks/give your routing information to trusted parties, secure your mailbox as best as you can, and if all else fails - choose another bank or change your banking practices. If your trust issues conflict with whatever convenience/benefits you are gaining, that is your decision to weigh.
- While most other websites also don't allow you to change your username and pre-set your username to your email address, in that scenario I at least have the option to create a throwaway email address, or use a + address.
This depends completely on the organization/company/system you are dealing with - in most cases dealing with money/bills where your account is automatically generated, you won't get to pick.
- It limits usernames to a single character set (numeric) which makes it easier for brute force hackers etc.
No one is going to brute force your username. Someone getting into your e-mail (and retrieving your password), gaining access to your [hopefully hashed] password from the benefits system, or logging your password because the computer you use to access the site has been compromised are the real issues here.
- Someone hacking my account will be able to gain the following information about me:
• Name
• Address
• Sort code
• Account number
• Email address
• Phone number
If someone is hacking your account specifically (as opposed to passive collection or downloading as many user credentials as they can), you can probably assume that all of those pieces of information are what they are already working with. Most of that (and including your date of birth) will be publicly available anyway, most of it is written directly on your checks, etc.
In conclusion: if you are making a complaint, include everything you can prove - maybe even what you expect is happening on the backend - but don't get your hopes up.
1
"there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems" Not true. If they are able to give you your password upon request (as opposed to only "at time of setting it"), then they are storing in plain text. Or they're encrypting it, but in security terms that's effectively the same thing. A minor error in an otherwise very good answer.
– Jim Cullen
Jul 16 at 23:00
Regarding your NIST citation, I believe a different security model is being used. The bank is not the service provider, and the benefits company is not a relying party. It sounds like the bank transmitted the info to the third party and OP now has multiple accounts to maintain. (If I am parsing things correctly).
– jww
Jul 16 at 23:16
@jww you are correct.
– Darren
Jul 17 at 2:01
@JimCullen that's true - I was more just going off the wording in the question where there was no indication Darren is able to request his password and get a response. regarding the NIST citation - I couldn't really find any other guidance that did a good job outlining username specific security (other than the google page I linked and maybe some FTC op-eds) - so I really only included it as an "even this really official thing doesn't cover usernames beyond a broad definition" type thing. why wouldn't the bank or benefits company be considered a service provider in this scenario?
– mael'
Jul 17 at 4:49
add a comment |
To address your primary question: a username is largely security neutral. NIST doesn't really have specific guidelines dictating what usernames a system should require. On page 21 of NIST Special Publication 800-63-3 (Section 4):
..the RP (relying party) may request the CSP (Credential Service Provider) assert information about the subscriber, such as verified attribute values, verified attribute references, or pseudonymous identifiers (i.e. your account number). This information assists the RP in making authorization decisions. An RP [..] may only need specific attributes, resulting in the subject retaining some degree of pseudonymity. This privacy enhancing approach is a benefit of separating the strength of the proofing process from that of the authentication process.
From a security perspective: how a username is determined is often the least critical part of the entire authentication design process. Is it ideal for you to have a username that both identifies your bank down to the branch (your sort code) in combination with your account number? No. Is it the ideal way for a relatively large system to assign potentially tens or hundreds of thousands of usernames to unique individuals across multiple geographic locations? Probably, yes.
To address your specific situation: yes - as you have already outlined, it is less secure to have your username be your account number than it would be to set it yourself - but it's also more secure than having firstinitial.lastname or some other similarly structured syntax.
Based on whom you are considering making your complaint to, I am going to assume you are in the UK - so you may be able to find more specific guidance for UK and the EU (while you guys are still in it). By all means - make a complaint if you think it might help the situation, just keep in mind that there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems. In my opinion: being unable to change your password is the biggest red flag in the whole situation - so that might be where you can find some traction.
To address your points:
- Whilst my bank account number is not necessarily secret (it is printed on cheques, and I need to give it to people to transfer money to me), it seems needlesly open.
Your bank account number is as open as you allow it to be. Only write checks/give your routing information to trusted parties, secure your mailbox as best as you can, and if all else fails - choose another bank or change your banking practices. If your trust issues conflict with whatever convenience/benefits you are gaining, that is your decision to weigh.
- While most other websites also don't allow you to change your username and pre-set your username to your email address, in that scenario I at least have the option to create a throwaway email address, or use a + address.
This depends completely on the organization/company/system you are dealing with - in most cases dealing with money/bills where your account is automatically generated, you won't get to pick.
- It limits usernames to a single character set (numeric) which makes it easier for brute force hackers etc.
No one is going to brute force your username. Someone getting into your e-mail (and retrieving your password), gaining access to your [hopefully hashed] password from the benefits system, or logging your password because the computer you use to access the site has been compromised are the real issues here.
- Someone hacking my account will be able to gain the following information about me:
• Name
• Address
• Sort code
• Account number
• Email address
• Phone number
If someone is hacking your account specifically (as opposed to passive collection or downloading as many user credentials as they can), you can probably assume that all of those pieces of information are what they are already working with. Most of that (and including your date of birth) will be publicly available anyway, most of it is written directly on your checks, etc.
In conclusion: if you are making a complaint, include everything you can prove - maybe even what you expect is happening on the backend - but don't get your hopes up.
To address your primary question: a username is largely security neutral. NIST doesn't really have specific guidelines dictating what usernames a system should require. On page 21 of NIST Special Publication 800-63-3 (Section 4):
..the RP (relying party) may request the CSP (Credential Service Provider) assert information about the subscriber, such as verified attribute values, verified attribute references, or pseudonymous identifiers (i.e. your account number). This information assists the RP in making authorization decisions. An RP [..] may only need specific attributes, resulting in the subject retaining some degree of pseudonymity. This privacy enhancing approach is a benefit of separating the strength of the proofing process from that of the authentication process.
From a security perspective: how a username is determined is often the least critical part of the entire authentication design process. Is it ideal for you to have a username that both identifies your bank down to the branch (your sort code) in combination with your account number? No. Is it the ideal way for a relatively large system to assign potentially tens or hundreds of thousands of usernames to unique individuals across multiple geographic locations? Probably, yes.
To address your specific situation: yes - as you have already outlined, it is less secure to have your username be your account number than it would be to set it yourself - but it's also more secure than having firstinitial.lastname or some other similarly structured syntax.
Based on whom you are considering making your complaint to, I am going to assume you are in the UK - so you may be able to find more specific guidance for UK and the EU (while you guys are still in it). By all means - make a complaint if you think it might help the situation, just keep in mind that there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems. In my opinion: being unable to change your password is the biggest red flag in the whole situation - so that might be where you can find some traction.
To address your points:
- Whilst my bank account number is not necessarily secret (it is printed on cheques, and I need to give it to people to transfer money to me), it seems needlesly open.
Your bank account number is as open as you allow it to be. Only write checks/give your routing information to trusted parties, secure your mailbox as best as you can, and if all else fails - choose another bank or change your banking practices. If your trust issues conflict with whatever convenience/benefits you are gaining, that is your decision to weigh.
- While most other websites also don't allow you to change your username and pre-set your username to your email address, in that scenario I at least have the option to create a throwaway email address, or use a + address.
This depends completely on the organization/company/system you are dealing with - in most cases dealing with money/bills where your account is automatically generated, you won't get to pick.
- It limits usernames to a single character set (numeric) which makes it easier for brute force hackers etc.
No one is going to brute force your username. Someone getting into your e-mail (and retrieving your password), gaining access to your [hopefully hashed] password from the benefits system, or logging your password because the computer you use to access the site has been compromised are the real issues here.
- Someone hacking my account will be able to gain the following information about me:
• Name
• Address
• Sort code
• Account number
• Email address
• Phone number
If someone is hacking your account specifically (as opposed to passive collection or downloading as many user credentials as they can), you can probably assume that all of those pieces of information are what they are already working with. Most of that (and including your date of birth) will be publicly available anyway, most of it is written directly on your checks, etc.
In conclusion: if you are making a complaint, include everything you can prove - maybe even what you expect is happening on the backend - but don't get your hopes up.
edited Jul 16 at 17:12
answered Jul 16 at 16:54
mael'mael'
2017 bronze badges
2017 bronze badges
1
"there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems" Not true. If they are able to give you your password upon request (as opposed to only "at time of setting it"), then they are storing in plain text. Or they're encrypting it, but in security terms that's effectively the same thing. A minor error in an otherwise very good answer.
– Jim Cullen
Jul 16 at 23:00
Regarding your NIST citation, I believe a different security model is being used. The bank is not the service provider, and the benefits company is not a relying party. It sounds like the bank transmitted the info to the third party and OP now has multiple accounts to maintain. (If I am parsing things correctly).
– jww
Jul 16 at 23:16
@jww you are correct.
– Darren
Jul 17 at 2:01
@JimCullen that's true - I was more just going off the wording in the question where there was no indication Darren is able to request his password and get a response. regarding the NIST citation - I couldn't really find any other guidance that did a good job outlining username specific security (other than the google page I linked and maybe some FTC op-eds) - so I really only included it as an "even this really official thing doesn't cover usernames beyond a broad definition" type thing. why wouldn't the bank or benefits company be considered a service provider in this scenario?
– mael'
Jul 17 at 4:49
add a comment |
1
"there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems" Not true. If they are able to give you your password upon request (as opposed to only "at time of setting it"), then they are storing in plain text. Or they're encrypting it, but in security terms that's effectively the same thing. A minor error in an otherwise very good answer.
– Jim Cullen
Jul 16 at 23:00
Regarding your NIST citation, I believe a different security model is being used. The bank is not the service provider, and the benefits company is not a relying party. It sounds like the bank transmitted the info to the third party and OP now has multiple accounts to maintain. (If I am parsing things correctly).
– jww
Jul 16 at 23:16
@jww you are correct.
– Darren
Jul 17 at 2:01
@JimCullen that's true - I was more just going off the wording in the question where there was no indication Darren is able to request his password and get a response. regarding the NIST citation - I couldn't really find any other guidance that did a good job outlining username specific security (other than the google page I linked and maybe some FTC op-eds) - so I really only included it as an "even this really official thing doesn't cover usernames beyond a broad definition" type thing. why wouldn't the bank or benefits company be considered a service provider in this scenario?
– mael'
Jul 17 at 4:49
1
1
"there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems" Not true. If they are able to give you your password upon request (as opposed to only "at time of setting it"), then they are storing in plain text. Or they're encrypting it, but in security terms that's effectively the same thing. A minor error in an otherwise very good answer.
– Jim Cullen
Jul 16 at 23:00
"there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems" Not true. If they are able to give you your password upon request (as opposed to only "at time of setting it"), then they are storing in plain text. Or they're encrypting it, but in security terms that's effectively the same thing. A minor error in an otherwise very good answer.
– Jim Cullen
Jul 16 at 23:00
Regarding your NIST citation, I believe a different security model is being used. The bank is not the service provider, and the benefits company is not a relying party. It sounds like the bank transmitted the info to the third party and OP now has multiple accounts to maintain. (If I am parsing things correctly).
– jww
Jul 16 at 23:16
Regarding your NIST citation, I believe a different security model is being used. The bank is not the service provider, and the benefits company is not a relying party. It sounds like the bank transmitted the info to the third party and OP now has multiple accounts to maintain. (If I am parsing things correctly).
– jww
Jul 16 at 23:16
@jww you are correct.
– Darren
Jul 17 at 2:01
@jww you are correct.
– Darren
Jul 17 at 2:01
@JimCullen that's true - I was more just going off the wording in the question where there was no indication Darren is able to request his password and get a response. regarding the NIST citation - I couldn't really find any other guidance that did a good job outlining username specific security (other than the google page I linked and maybe some FTC op-eds) - so I really only included it as an "even this really official thing doesn't cover usernames beyond a broad definition" type thing. why wouldn't the bank or benefits company be considered a service provider in this scenario?
– mael'
Jul 17 at 4:49
@JimCullen that's true - I was more just going off the wording in the question where there was no indication Darren is able to request his password and get a response. regarding the NIST citation - I couldn't really find any other guidance that did a good job outlining username specific security (other than the google page I linked and maybe some FTC op-eds) - so I really only included it as an "even this really official thing doesn't cover usernames beyond a broad definition" type thing. why wouldn't the bank or benefits company be considered a service provider in this scenario?
– mael'
Jul 17 at 4:49
add a comment |
Thanks for contributing an answer to Information Security Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f213569%2fis-it-insecure-to-not-let-a-user-choose-their-own-username-and-base-the-usernam%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
How do you know they are storing password in plaintext?
– Vipul Nair
Jul 16 at 14:30
@VipulNair because the password was emailed to me.
– Darren
Jul 16 at 14:31
@Darren they could’ve emailed you your password before hashing and storing it. Still, that’s a bad practice.
– Andrew Morozko
Jul 16 at 14:34
@AndrewMorozko well I accept that's possible, but seems unlikely. Regardless, the scope for it being intercepted and my inability to change it is concerning.
– Darren
Jul 16 at 14:35
@Darren true. As for username, they are generally assumed to be non-secret and aren’t considered a part of security architecture. I have no idea about the law, but who knows how courts may think about it.
– Andrew Morozko
Jul 16 at 14:38