Is it insecure to not let a user choose their own username, and base the username on a known pattern?What methods can be used to prevent mistyped usernames?Is there more of a security risk by providing an email when creating a new account?Are six digit temporary numerical pins secure enough for online accounts?Is it bad practice to accept phone number or email as username?How to proceed after attempted cracking to accounts?Is it unsecure to let my personal computer user name be known publicly?Amazon 2FA: Compromising the email leads to compromising 2FA, e.g removing the other factor?What is optimal way to connect accounts to 2FA on phone?Is it good or bad practice to allow a user to change their username?Securely storing account credentials/information for critical company services - the bus factor

What is the max number of outlets on a GFCI circuit?

What does Kasparov mean by "I was behind in three and even in one after six games"?

Is it legal to use cash pulled from a credit card to pay the monthly payment on that credit card?

Convert a string like 4h53m12s to a total number of seconds in JavaScript

How can I make sure my players' decisions have consequences?

Why are there not any MRI machines available in Interstellar?

powerhouse of ideas

What are the exact meanings of roll, pitch and yaw?

401(k) investment after being fired. Do I own it?

What to do when you reach a conclusion and find out later on that someone else already did?

Invert Some Switches on a Switchboard

How did C64 games handle music during gameplay?

How to write a sincerely religious protagonist without preaching or affirming or judging their worldview?

How may I concisely assign different values to a variable, depending on another variable?

How can I receive packages while in France?

Trapped in an ocean Temple in Minecraft?

How to get the two pictures aligned

Why are so many countries still in the Commonwealth?

Knights fighting a steam locomotive they believe is a dragon

Timing/Stack question about abilities triggered during combat

Automatic Habit of Meditation

Terence Tao–type books in other fields?

Area of parallelogram = Area of square. Shear transform

How were the LM astronauts supported during the moon landing and ascent? What were the max G's on them during these phases?



Is it insecure to not let a user choose their own username, and base the username on a known pattern?


What methods can be used to prevent mistyped usernames?Is there more of a security risk by providing an email when creating a new account?Are six digit temporary numerical pins secure enough for online accounts?Is it bad practice to accept phone number or email as username?How to proceed after attempted cracking to accounts?Is it unsecure to let my personal computer user name be known publicly?Amazon 2FA: Compromising the email leads to compromising 2FA, e.g removing the other factor?What is optimal way to connect accounts to 2FA on phone?Is it good or bad practice to allow a user to change their username?Securely storing account credentials/information for critical company services - the bus factor






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








2















I have recently changed banks and my new bank has a benefit scheme (discounts etc.) that has its own website and different login details to my online banking (I think the benefits system is administered by a third-party).



They are clearly storing passwords in plain text and there's no ability to change my password to anything of my own choosing. This is the main crux of a complaint I will be making to the ICO on GDPR grounds.



However, the username is also preset and unchangeable. To make matters worse, IMO, is that the username is my bank sort code + account number. I am trying to decide if this is also a security issue.



  1. Whilst my bank account number is not necessarily secret (it is printed on cheques, and I need to give it to people to transfer money to me), it seems needlesly open.


  2. While most other websites also don't allow you to change your username and pre-set your username to your email address, in that scenario I at least have the option to create a throwaway email address, or use a + address.


  3. It limits usernames to a single character set (numeric) which makes it easier for brute force hackers etc.



  4. Someone hacking my account will be able to gain the following information about me:



    • Name

    • Address

    • Sort code

    • Account number

    • Email address

    • Phone number


All that's missing to make the complete set of personal information would be my date of birth, and for all I know they're storing that information about me behind the scenes too.



Should I use the username argument to strengthen my complaint about the password storage?










share|improve this question






















  • How do you know they are storing password in plaintext?

    – Vipul Nair
    Jul 16 at 14:30











  • @VipulNair because the password was emailed to me.

    – Darren
    Jul 16 at 14:31











  • @Darren they could’ve emailed you your password before hashing and storing it. Still, that’s a bad practice.

    – Andrew Morozko
    Jul 16 at 14:34











  • @AndrewMorozko well I accept that's possible, but seems unlikely. Regardless, the scope for it being intercepted and my inability to change it is concerning.

    – Darren
    Jul 16 at 14:35












  • @Darren true. As for username, they are generally assumed to be non-secret and aren’t considered a part of security architecture. I have no idea about the law, but who knows how courts may think about it.

    – Andrew Morozko
    Jul 16 at 14:38

















2















I have recently changed banks and my new bank has a benefit scheme (discounts etc.) that has its own website and different login details to my online banking (I think the benefits system is administered by a third-party).



They are clearly storing passwords in plain text and there's no ability to change my password to anything of my own choosing. This is the main crux of a complaint I will be making to the ICO on GDPR grounds.



However, the username is also preset and unchangeable. To make matters worse, IMO, is that the username is my bank sort code + account number. I am trying to decide if this is also a security issue.



  1. Whilst my bank account number is not necessarily secret (it is printed on cheques, and I need to give it to people to transfer money to me), it seems needlesly open.


  2. While most other websites also don't allow you to change your username and pre-set your username to your email address, in that scenario I at least have the option to create a throwaway email address, or use a + address.


  3. It limits usernames to a single character set (numeric) which makes it easier for brute force hackers etc.



  4. Someone hacking my account will be able to gain the following information about me:



    • Name

    • Address

    • Sort code

    • Account number

    • Email address

    • Phone number


All that's missing to make the complete set of personal information would be my date of birth, and for all I know they're storing that information about me behind the scenes too.



Should I use the username argument to strengthen my complaint about the password storage?










share|improve this question






















  • How do you know they are storing password in plaintext?

    – Vipul Nair
    Jul 16 at 14:30











  • @VipulNair because the password was emailed to me.

    – Darren
    Jul 16 at 14:31











  • @Darren they could’ve emailed you your password before hashing and storing it. Still, that’s a bad practice.

    – Andrew Morozko
    Jul 16 at 14:34











  • @AndrewMorozko well I accept that's possible, but seems unlikely. Regardless, the scope for it being intercepted and my inability to change it is concerning.

    – Darren
    Jul 16 at 14:35












  • @Darren true. As for username, they are generally assumed to be non-secret and aren’t considered a part of security architecture. I have no idea about the law, but who knows how courts may think about it.

    – Andrew Morozko
    Jul 16 at 14:38













2












2








2








I have recently changed banks and my new bank has a benefit scheme (discounts etc.) that has its own website and different login details to my online banking (I think the benefits system is administered by a third-party).



They are clearly storing passwords in plain text and there's no ability to change my password to anything of my own choosing. This is the main crux of a complaint I will be making to the ICO on GDPR grounds.



However, the username is also preset and unchangeable. To make matters worse, IMO, is that the username is my bank sort code + account number. I am trying to decide if this is also a security issue.



  1. Whilst my bank account number is not necessarily secret (it is printed on cheques, and I need to give it to people to transfer money to me), it seems needlesly open.


  2. While most other websites also don't allow you to change your username and pre-set your username to your email address, in that scenario I at least have the option to create a throwaway email address, or use a + address.


  3. It limits usernames to a single character set (numeric) which makes it easier for brute force hackers etc.



  4. Someone hacking my account will be able to gain the following information about me:



    • Name

    • Address

    • Sort code

    • Account number

    • Email address

    • Phone number


All that's missing to make the complete set of personal information would be my date of birth, and for all I know they're storing that information about me behind the scenes too.



Should I use the username argument to strengthen my complaint about the password storage?










share|improve this question














I have recently changed banks and my new bank has a benefit scheme (discounts etc.) that has its own website and different login details to my online banking (I think the benefits system is administered by a third-party).



They are clearly storing passwords in plain text and there's no ability to change my password to anything of my own choosing. This is the main crux of a complaint I will be making to the ICO on GDPR grounds.



However, the username is also preset and unchangeable. To make matters worse, IMO, is that the username is my bank sort code + account number. I am trying to decide if this is also a security issue.



  1. Whilst my bank account number is not necessarily secret (it is printed on cheques, and I need to give it to people to transfer money to me), it seems needlesly open.


  2. While most other websites also don't allow you to change your username and pre-set your username to your email address, in that scenario I at least have the option to create a throwaway email address, or use a + address.


  3. It limits usernames to a single character set (numeric) which makes it easier for brute force hackers etc.



  4. Someone hacking my account will be able to gain the following information about me:



    • Name

    • Address

    • Sort code

    • Account number

    • Email address

    • Phone number


All that's missing to make the complete set of personal information would be my date of birth, and for all I know they're storing that information about me behind the scenes too.



Should I use the username argument to strengthen my complaint about the password storage?







account-security user-names






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jul 16 at 14:22









DarrenDarren

1456 bronze badges




1456 bronze badges












  • How do you know they are storing password in plaintext?

    – Vipul Nair
    Jul 16 at 14:30











  • @VipulNair because the password was emailed to me.

    – Darren
    Jul 16 at 14:31











  • @Darren they could’ve emailed you your password before hashing and storing it. Still, that’s a bad practice.

    – Andrew Morozko
    Jul 16 at 14:34











  • @AndrewMorozko well I accept that's possible, but seems unlikely. Regardless, the scope for it being intercepted and my inability to change it is concerning.

    – Darren
    Jul 16 at 14:35












  • @Darren true. As for username, they are generally assumed to be non-secret and aren’t considered a part of security architecture. I have no idea about the law, but who knows how courts may think about it.

    – Andrew Morozko
    Jul 16 at 14:38

















  • How do you know they are storing password in plaintext?

    – Vipul Nair
    Jul 16 at 14:30











  • @VipulNair because the password was emailed to me.

    – Darren
    Jul 16 at 14:31











  • @Darren they could’ve emailed you your password before hashing and storing it. Still, that’s a bad practice.

    – Andrew Morozko
    Jul 16 at 14:34











  • @AndrewMorozko well I accept that's possible, but seems unlikely. Regardless, the scope for it being intercepted and my inability to change it is concerning.

    – Darren
    Jul 16 at 14:35












  • @Darren true. As for username, they are generally assumed to be non-secret and aren’t considered a part of security architecture. I have no idea about the law, but who knows how courts may think about it.

    – Andrew Morozko
    Jul 16 at 14:38
















How do you know they are storing password in plaintext?

– Vipul Nair
Jul 16 at 14:30





How do you know they are storing password in plaintext?

– Vipul Nair
Jul 16 at 14:30













@VipulNair because the password was emailed to me.

– Darren
Jul 16 at 14:31





@VipulNair because the password was emailed to me.

– Darren
Jul 16 at 14:31













@Darren they could’ve emailed you your password before hashing and storing it. Still, that’s a bad practice.

– Andrew Morozko
Jul 16 at 14:34





@Darren they could’ve emailed you your password before hashing and storing it. Still, that’s a bad practice.

– Andrew Morozko
Jul 16 at 14:34













@AndrewMorozko well I accept that's possible, but seems unlikely. Regardless, the scope for it being intercepted and my inability to change it is concerning.

– Darren
Jul 16 at 14:35






@AndrewMorozko well I accept that's possible, but seems unlikely. Regardless, the scope for it being intercepted and my inability to change it is concerning.

– Darren
Jul 16 at 14:35














@Darren true. As for username, they are generally assumed to be non-secret and aren’t considered a part of security architecture. I have no idea about the law, but who knows how courts may think about it.

– Andrew Morozko
Jul 16 at 14:38





@Darren true. As for username, they are generally assumed to be non-secret and aren’t considered a part of security architecture. I have no idea about the law, but who knows how courts may think about it.

– Andrew Morozko
Jul 16 at 14:38










1 Answer
1






active

oldest

votes


















5














To address your primary question: a username is largely security neutral. NIST doesn't really have specific guidelines dictating what usernames a system should require. On page 21 of NIST Special Publication 800-63-3 (Section 4):




..the RP (relying party) may request the CSP (Credential Service Provider) assert information about the subscriber, such as verified attribute values, verified attribute references, or pseudonymous identifiers (i.e. your account number). This information assists the RP in making authorization decisions. An RP [..] may only need specific attributes, resulting in the subject retaining some degree of pseudonymity. This privacy enhancing approach is a benefit of separating the strength of the proofing process from that of the authentication process.




From a security perspective: how a username is determined is often the least critical part of the entire authentication design process. Is it ideal for you to have a username that both identifies your bank down to the branch (your sort code) in combination with your account number? No. Is it the ideal way for a relatively large system to assign potentially tens or hundreds of thousands of usernames to unique individuals across multiple geographic locations? Probably, yes.



To address your specific situation: yes - as you have already outlined, it is less secure to have your username be your account number than it would be to set it yourself - but it's also more secure than having firstinitial.lastname or some other similarly structured syntax.



Based on whom you are considering making your complaint to, I am going to assume you are in the UK - so you may be able to find more specific guidance for UK and the EU (while you guys are still in it). By all means - make a complaint if you think it might help the situation, just keep in mind that there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems. In my opinion: being unable to change your password is the biggest red flag in the whole situation - so that might be where you can find some traction.



To address your points:




  1. Whilst my bank account number is not necessarily secret (it is printed on cheques, and I need to give it to people to transfer money to me), it seems needlesly open.



Your bank account number is as open as you allow it to be. Only write checks/give your routing information to trusted parties, secure your mailbox as best as you can, and if all else fails - choose another bank or change your banking practices. If your trust issues conflict with whatever convenience/benefits you are gaining, that is your decision to weigh.




  1. While most other websites also don't allow you to change your username and pre-set your username to your email address, in that scenario I at least have the option to create a throwaway email address, or use a + address.



This depends completely on the organization/company/system you are dealing with - in most cases dealing with money/bills where your account is automatically generated, you won't get to pick.




  1. It limits usernames to a single character set (numeric) which makes it easier for brute force hackers etc.



No one is going to brute force your username. Someone getting into your e-mail (and retrieving your password), gaining access to your [hopefully hashed] password from the benefits system, or logging your password because the computer you use to access the site has been compromised are the real issues here.




  1. Someone hacking my account will be able to gain the following information about me:

    • Name

    • Address

    • Sort code

    • Account number

    • Email address

    • Phone number



If someone is hacking your account specifically (as opposed to passive collection or downloading as many user credentials as they can), you can probably assume that all of those pieces of information are what they are already working with. Most of that (and including your date of birth) will be publicly available anyway, most of it is written directly on your checks, etc.



In conclusion: if you are making a complaint, include everything you can prove - maybe even what you expect is happening on the backend - but don't get your hopes up.






share|improve this answer




















  • 1





    "there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems" Not true. If they are able to give you your password upon request (as opposed to only "at time of setting it"), then they are storing in plain text. Or they're encrypting it, but in security terms that's effectively the same thing. A minor error in an otherwise very good answer.

    – Jim Cullen
    Jul 16 at 23:00











  • Regarding your NIST citation, I believe a different security model is being used. The bank is not the service provider, and the benefits company is not a relying party. It sounds like the bank transmitted the info to the third party and OP now has multiple accounts to maintain. (If I am parsing things correctly).

    – jww
    Jul 16 at 23:16












  • @jww you are correct.

    – Darren
    Jul 17 at 2:01











  • @JimCullen that's true - I was more just going off the wording in the question where there was no indication Darren is able to request his password and get a response. regarding the NIST citation - I couldn't really find any other guidance that did a good job outlining username specific security (other than the google page I linked and maybe some FTC op-eds) - so I really only included it as an "even this really official thing doesn't cover usernames beyond a broad definition" type thing. why wouldn't the bank or benefits company be considered a service provider in this scenario?

    – mael'
    Jul 17 at 4:49













Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);













draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f213569%2fis-it-insecure-to-not-let-a-user-choose-their-own-username-and-base-the-usernam%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









5














To address your primary question: a username is largely security neutral. NIST doesn't really have specific guidelines dictating what usernames a system should require. On page 21 of NIST Special Publication 800-63-3 (Section 4):




..the RP (relying party) may request the CSP (Credential Service Provider) assert information about the subscriber, such as verified attribute values, verified attribute references, or pseudonymous identifiers (i.e. your account number). This information assists the RP in making authorization decisions. An RP [..] may only need specific attributes, resulting in the subject retaining some degree of pseudonymity. This privacy enhancing approach is a benefit of separating the strength of the proofing process from that of the authentication process.




From a security perspective: how a username is determined is often the least critical part of the entire authentication design process. Is it ideal for you to have a username that both identifies your bank down to the branch (your sort code) in combination with your account number? No. Is it the ideal way for a relatively large system to assign potentially tens or hundreds of thousands of usernames to unique individuals across multiple geographic locations? Probably, yes.



To address your specific situation: yes - as you have already outlined, it is less secure to have your username be your account number than it would be to set it yourself - but it's also more secure than having firstinitial.lastname or some other similarly structured syntax.



Based on whom you are considering making your complaint to, I am going to assume you are in the UK - so you may be able to find more specific guidance for UK and the EU (while you guys are still in it). By all means - make a complaint if you think it might help the situation, just keep in mind that there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems. In my opinion: being unable to change your password is the biggest red flag in the whole situation - so that might be where you can find some traction.



To address your points:




  1. Whilst my bank account number is not necessarily secret (it is printed on cheques, and I need to give it to people to transfer money to me), it seems needlesly open.



Your bank account number is as open as you allow it to be. Only write checks/give your routing information to trusted parties, secure your mailbox as best as you can, and if all else fails - choose another bank or change your banking practices. If your trust issues conflict with whatever convenience/benefits you are gaining, that is your decision to weigh.




  1. While most other websites also don't allow you to change your username and pre-set your username to your email address, in that scenario I at least have the option to create a throwaway email address, or use a + address.



This depends completely on the organization/company/system you are dealing with - in most cases dealing with money/bills where your account is automatically generated, you won't get to pick.




  1. It limits usernames to a single character set (numeric) which makes it easier for brute force hackers etc.



No one is going to brute force your username. Someone getting into your e-mail (and retrieving your password), gaining access to your [hopefully hashed] password from the benefits system, or logging your password because the computer you use to access the site has been compromised are the real issues here.




  1. Someone hacking my account will be able to gain the following information about me:

    • Name

    • Address

    • Sort code

    • Account number

    • Email address

    • Phone number



If someone is hacking your account specifically (as opposed to passive collection or downloading as many user credentials as they can), you can probably assume that all of those pieces of information are what they are already working with. Most of that (and including your date of birth) will be publicly available anyway, most of it is written directly on your checks, etc.



In conclusion: if you are making a complaint, include everything you can prove - maybe even what you expect is happening on the backend - but don't get your hopes up.






share|improve this answer




















  • 1





    "there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems" Not true. If they are able to give you your password upon request (as opposed to only "at time of setting it"), then they are storing in plain text. Or they're encrypting it, but in security terms that's effectively the same thing. A minor error in an otherwise very good answer.

    – Jim Cullen
    Jul 16 at 23:00











  • Regarding your NIST citation, I believe a different security model is being used. The bank is not the service provider, and the benefits company is not a relying party. It sounds like the bank transmitted the info to the third party and OP now has multiple accounts to maintain. (If I am parsing things correctly).

    – jww
    Jul 16 at 23:16












  • @jww you are correct.

    – Darren
    Jul 17 at 2:01











  • @JimCullen that's true - I was more just going off the wording in the question where there was no indication Darren is able to request his password and get a response. regarding the NIST citation - I couldn't really find any other guidance that did a good job outlining username specific security (other than the google page I linked and maybe some FTC op-eds) - so I really only included it as an "even this really official thing doesn't cover usernames beyond a broad definition" type thing. why wouldn't the bank or benefits company be considered a service provider in this scenario?

    – mael'
    Jul 17 at 4:49















5














To address your primary question: a username is largely security neutral. NIST doesn't really have specific guidelines dictating what usernames a system should require. On page 21 of NIST Special Publication 800-63-3 (Section 4):




..the RP (relying party) may request the CSP (Credential Service Provider) assert information about the subscriber, such as verified attribute values, verified attribute references, or pseudonymous identifiers (i.e. your account number). This information assists the RP in making authorization decisions. An RP [..] may only need specific attributes, resulting in the subject retaining some degree of pseudonymity. This privacy enhancing approach is a benefit of separating the strength of the proofing process from that of the authentication process.




From a security perspective: how a username is determined is often the least critical part of the entire authentication design process. Is it ideal for you to have a username that both identifies your bank down to the branch (your sort code) in combination with your account number? No. Is it the ideal way for a relatively large system to assign potentially tens or hundreds of thousands of usernames to unique individuals across multiple geographic locations? Probably, yes.



To address your specific situation: yes - as you have already outlined, it is less secure to have your username be your account number than it would be to set it yourself - but it's also more secure than having firstinitial.lastname or some other similarly structured syntax.



Based on whom you are considering making your complaint to, I am going to assume you are in the UK - so you may be able to find more specific guidance for UK and the EU (while you guys are still in it). By all means - make a complaint if you think it might help the situation, just keep in mind that there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems. In my opinion: being unable to change your password is the biggest red flag in the whole situation - so that might be where you can find some traction.



To address your points:




  1. Whilst my bank account number is not necessarily secret (it is printed on cheques, and I need to give it to people to transfer money to me), it seems needlesly open.



Your bank account number is as open as you allow it to be. Only write checks/give your routing information to trusted parties, secure your mailbox as best as you can, and if all else fails - choose another bank or change your banking practices. If your trust issues conflict with whatever convenience/benefits you are gaining, that is your decision to weigh.




  1. While most other websites also don't allow you to change your username and pre-set your username to your email address, in that scenario I at least have the option to create a throwaway email address, or use a + address.



This depends completely on the organization/company/system you are dealing with - in most cases dealing with money/bills where your account is automatically generated, you won't get to pick.




  1. It limits usernames to a single character set (numeric) which makes it easier for brute force hackers etc.



No one is going to brute force your username. Someone getting into your e-mail (and retrieving your password), gaining access to your [hopefully hashed] password from the benefits system, or logging your password because the computer you use to access the site has been compromised are the real issues here.




  1. Someone hacking my account will be able to gain the following information about me:

    • Name

    • Address

    • Sort code

    • Account number

    • Email address

    • Phone number



If someone is hacking your account specifically (as opposed to passive collection or downloading as many user credentials as they can), you can probably assume that all of those pieces of information are what they are already working with. Most of that (and including your date of birth) will be publicly available anyway, most of it is written directly on your checks, etc.



In conclusion: if you are making a complaint, include everything you can prove - maybe even what you expect is happening on the backend - but don't get your hopes up.






share|improve this answer




















  • 1





    "there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems" Not true. If they are able to give you your password upon request (as opposed to only "at time of setting it"), then they are storing in plain text. Or they're encrypting it, but in security terms that's effectively the same thing. A minor error in an otherwise very good answer.

    – Jim Cullen
    Jul 16 at 23:00











  • Regarding your NIST citation, I believe a different security model is being used. The bank is not the service provider, and the benefits company is not a relying party. It sounds like the bank transmitted the info to the third party and OP now has multiple accounts to maintain. (If I am parsing things correctly).

    – jww
    Jul 16 at 23:16












  • @jww you are correct.

    – Darren
    Jul 17 at 2:01











  • @JimCullen that's true - I was more just going off the wording in the question where there was no indication Darren is able to request his password and get a response. regarding the NIST citation - I couldn't really find any other guidance that did a good job outlining username specific security (other than the google page I linked and maybe some FTC op-eds) - so I really only included it as an "even this really official thing doesn't cover usernames beyond a broad definition" type thing. why wouldn't the bank or benefits company be considered a service provider in this scenario?

    – mael'
    Jul 17 at 4:49













5












5








5







To address your primary question: a username is largely security neutral. NIST doesn't really have specific guidelines dictating what usernames a system should require. On page 21 of NIST Special Publication 800-63-3 (Section 4):




..the RP (relying party) may request the CSP (Credential Service Provider) assert information about the subscriber, such as verified attribute values, verified attribute references, or pseudonymous identifiers (i.e. your account number). This information assists the RP in making authorization decisions. An RP [..] may only need specific attributes, resulting in the subject retaining some degree of pseudonymity. This privacy enhancing approach is a benefit of separating the strength of the proofing process from that of the authentication process.




From a security perspective: how a username is determined is often the least critical part of the entire authentication design process. Is it ideal for you to have a username that both identifies your bank down to the branch (your sort code) in combination with your account number? No. Is it the ideal way for a relatively large system to assign potentially tens or hundreds of thousands of usernames to unique individuals across multiple geographic locations? Probably, yes.



To address your specific situation: yes - as you have already outlined, it is less secure to have your username be your account number than it would be to set it yourself - but it's also more secure than having firstinitial.lastname or some other similarly structured syntax.



Based on whom you are considering making your complaint to, I am going to assume you are in the UK - so you may be able to find more specific guidance for UK and the EU (while you guys are still in it). By all means - make a complaint if you think it might help the situation, just keep in mind that there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems. In my opinion: being unable to change your password is the biggest red flag in the whole situation - so that might be where you can find some traction.



To address your points:




  1. Whilst my bank account number is not necessarily secret (it is printed on cheques, and I need to give it to people to transfer money to me), it seems needlesly open.



Your bank account number is as open as you allow it to be. Only write checks/give your routing information to trusted parties, secure your mailbox as best as you can, and if all else fails - choose another bank or change your banking practices. If your trust issues conflict with whatever convenience/benefits you are gaining, that is your decision to weigh.




  1. While most other websites also don't allow you to change your username and pre-set your username to your email address, in that scenario I at least have the option to create a throwaway email address, or use a + address.



This depends completely on the organization/company/system you are dealing with - in most cases dealing with money/bills where your account is automatically generated, you won't get to pick.




  1. It limits usernames to a single character set (numeric) which makes it easier for brute force hackers etc.



No one is going to brute force your username. Someone getting into your e-mail (and retrieving your password), gaining access to your [hopefully hashed] password from the benefits system, or logging your password because the computer you use to access the site has been compromised are the real issues here.




  1. Someone hacking my account will be able to gain the following information about me:

    • Name

    • Address

    • Sort code

    • Account number

    • Email address

    • Phone number



If someone is hacking your account specifically (as opposed to passive collection or downloading as many user credentials as they can), you can probably assume that all of those pieces of information are what they are already working with. Most of that (and including your date of birth) will be publicly available anyway, most of it is written directly on your checks, etc.



In conclusion: if you are making a complaint, include everything you can prove - maybe even what you expect is happening on the backend - but don't get your hopes up.






share|improve this answer















To address your primary question: a username is largely security neutral. NIST doesn't really have specific guidelines dictating what usernames a system should require. On page 21 of NIST Special Publication 800-63-3 (Section 4):




..the RP (relying party) may request the CSP (Credential Service Provider) assert information about the subscriber, such as verified attribute values, verified attribute references, or pseudonymous identifiers (i.e. your account number). This information assists the RP in making authorization decisions. An RP [..] may only need specific attributes, resulting in the subject retaining some degree of pseudonymity. This privacy enhancing approach is a benefit of separating the strength of the proofing process from that of the authentication process.




From a security perspective: how a username is determined is often the least critical part of the entire authentication design process. Is it ideal for you to have a username that both identifies your bank down to the branch (your sort code) in combination with your account number? No. Is it the ideal way for a relatively large system to assign potentially tens or hundreds of thousands of usernames to unique individuals across multiple geographic locations? Probably, yes.



To address your specific situation: yes - as you have already outlined, it is less secure to have your username be your account number than it would be to set it yourself - but it's also more secure than having firstinitial.lastname or some other similarly structured syntax.



Based on whom you are considering making your complaint to, I am going to assume you are in the UK - so you may be able to find more specific guidance for UK and the EU (while you guys are still in it). By all means - make a complaint if you think it might help the situation, just keep in mind that there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems. In my opinion: being unable to change your password is the biggest red flag in the whole situation - so that might be where you can find some traction.



To address your points:




  1. Whilst my bank account number is not necessarily secret (it is printed on cheques, and I need to give it to people to transfer money to me), it seems needlesly open.



Your bank account number is as open as you allow it to be. Only write checks/give your routing information to trusted parties, secure your mailbox as best as you can, and if all else fails - choose another bank or change your banking practices. If your trust issues conflict with whatever convenience/benefits you are gaining, that is your decision to weigh.




  1. While most other websites also don't allow you to change your username and pre-set your username to your email address, in that scenario I at least have the option to create a throwaway email address, or use a + address.



This depends completely on the organization/company/system you are dealing with - in most cases dealing with money/bills where your account is automatically generated, you won't get to pick.




  1. It limits usernames to a single character set (numeric) which makes it easier for brute force hackers etc.



No one is going to brute force your username. Someone getting into your e-mail (and retrieving your password), gaining access to your [hopefully hashed] password from the benefits system, or logging your password because the computer you use to access the site has been compromised are the real issues here.




  1. Someone hacking my account will be able to gain the following information about me:

    • Name

    • Address

    • Sort code

    • Account number

    • Email address

    • Phone number



If someone is hacking your account specifically (as opposed to passive collection or downloading as many user credentials as they can), you can probably assume that all of those pieces of information are what they are already working with. Most of that (and including your date of birth) will be publicly available anyway, most of it is written directly on your checks, etc.



In conclusion: if you are making a complaint, include everything you can prove - maybe even what you expect is happening on the backend - but don't get your hopes up.







share|improve this answer














share|improve this answer



share|improve this answer








edited Jul 16 at 17:12

























answered Jul 16 at 16:54









mael'mael'

2017 bronze badges




2017 bronze badges







  • 1





    "there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems" Not true. If they are able to give you your password upon request (as opposed to only "at time of setting it"), then they are storing in plain text. Or they're encrypting it, but in security terms that's effectively the same thing. A minor error in an otherwise very good answer.

    – Jim Cullen
    Jul 16 at 23:00











  • Regarding your NIST citation, I believe a different security model is being used. The bank is not the service provider, and the benefits company is not a relying party. It sounds like the bank transmitted the info to the third party and OP now has multiple accounts to maintain. (If I am parsing things correctly).

    – jww
    Jul 16 at 23:16












  • @jww you are correct.

    – Darren
    Jul 17 at 2:01











  • @JimCullen that's true - I was more just going off the wording in the question where there was no indication Darren is able to request his password and get a response. regarding the NIST citation - I couldn't really find any other guidance that did a good job outlining username specific security (other than the google page I linked and maybe some FTC op-eds) - so I really only included it as an "even this really official thing doesn't cover usernames beyond a broad definition" type thing. why wouldn't the bank or benefits company be considered a service provider in this scenario?

    – mael'
    Jul 17 at 4:49












  • 1





    "there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems" Not true. If they are able to give you your password upon request (as opposed to only "at time of setting it"), then they are storing in plain text. Or they're encrypting it, but in security terms that's effectively the same thing. A minor error in an otherwise very good answer.

    – Jim Cullen
    Jul 16 at 23:00











  • Regarding your NIST citation, I believe a different security model is being used. The bank is not the service provider, and the benefits company is not a relying party. It sounds like the bank transmitted the info to the third party and OP now has multiple accounts to maintain. (If I am parsing things correctly).

    – jww
    Jul 16 at 23:16












  • @jww you are correct.

    – Darren
    Jul 17 at 2:01











  • @JimCullen that's true - I was more just going off the wording in the question where there was no indication Darren is able to request his password and get a response. regarding the NIST citation - I couldn't really find any other guidance that did a good job outlining username specific security (other than the google page I linked and maybe some FTC op-eds) - so I really only included it as an "even this really official thing doesn't cover usernames beyond a broad definition" type thing. why wouldn't the bank or benefits company be considered a service provider in this scenario?

    – mael'
    Jul 17 at 4:49







1




1





"there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems" Not true. If they are able to give you your password upon request (as opposed to only "at time of setting it"), then they are storing in plain text. Or they're encrypting it, but in security terms that's effectively the same thing. A minor error in an otherwise very good answer.

– Jim Cullen
Jul 16 at 23:00





"there is no legal way for you to know for sure whether or not they are storing user passwords in plain text on their systems" Not true. If they are able to give you your password upon request (as opposed to only "at time of setting it"), then they are storing in plain text. Or they're encrypting it, but in security terms that's effectively the same thing. A minor error in an otherwise very good answer.

– Jim Cullen
Jul 16 at 23:00













Regarding your NIST citation, I believe a different security model is being used. The bank is not the service provider, and the benefits company is not a relying party. It sounds like the bank transmitted the info to the third party and OP now has multiple accounts to maintain. (If I am parsing things correctly).

– jww
Jul 16 at 23:16






Regarding your NIST citation, I believe a different security model is being used. The bank is not the service provider, and the benefits company is not a relying party. It sounds like the bank transmitted the info to the third party and OP now has multiple accounts to maintain. (If I am parsing things correctly).

– jww
Jul 16 at 23:16














@jww you are correct.

– Darren
Jul 17 at 2:01





@jww you are correct.

– Darren
Jul 17 at 2:01













@JimCullen that's true - I was more just going off the wording in the question where there was no indication Darren is able to request his password and get a response. regarding the NIST citation - I couldn't really find any other guidance that did a good job outlining username specific security (other than the google page I linked and maybe some FTC op-eds) - so I really only included it as an "even this really official thing doesn't cover usernames beyond a broad definition" type thing. why wouldn't the bank or benefits company be considered a service provider in this scenario?

– mael'
Jul 17 at 4:49





@JimCullen that's true - I was more just going off the wording in the question where there was no indication Darren is able to request his password and get a response. regarding the NIST citation - I couldn't really find any other guidance that did a good job outlining username specific security (other than the google page I linked and maybe some FTC op-eds) - so I really only included it as an "even this really official thing doesn't cover usernames beyond a broad definition" type thing. why wouldn't the bank or benefits company be considered a service provider in this scenario?

– mael'
Jul 17 at 4:49

















draft saved

draft discarded
















































Thanks for contributing an answer to Information Security Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f213569%2fis-it-insecure-to-not-let-a-user-choose-their-own-username-and-base-the-usernam%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Category:9 (number) SubcategoriesMedia in category "9 (number)"Navigation menuUpload mediaGND ID: 4485639-8Library of Congress authority ID: sh85091979ReasonatorScholiaStatistics

Circuit construction for execution of conditional statements using least significant bitHow are two different registers being used as “control”?How exactly is the stated composite state of the two registers being produced using the $R_zz$ controlled rotations?Efficiently performing controlled rotations in HHLWould this quantum algorithm implementation work?How to prepare a superposed states of odd integers from $1$ to $sqrtN$?Why is this implementation of the order finding algorithm not working?Circuit construction for Hamiltonian simulationHow can I invert the least significant bit of a certain term of a superposed state?Implementing an oracleImplementing a controlled sum operation

Magento 2 “No Payment Methods” in Admin New OrderHow to integrate Paypal Express Checkout with the Magento APIMagento 1.5 - Sales > Order > edit order and shipping methods disappearAuto Invoice Check/Money Order Payment methodAdd more simple payment methods?Shipping methods not showingWhat should I do to change payment methods if changing the configuration has no effects?1.9 - No Payment Methods showing upMy Payment Methods not Showing for downloadable/virtual product when checkout?Magento2 API to access internal payment methodHow to call an existing payment methods in the registration form?