Wait, is bitwarden seriously peddling shit about having a difficult to guess username? They're not passwords, they're nonsensitive handles that are displayed in all social apps ffs...
> Say, for instance, your name is Jane Doe and you use janedoe as the username for your account. If a hacker knows your first and last name, a couple of quick guesses (say janedoe or jdoe) and they're halfway to accessing your account

I would not hire this person to do anything with security.

passwords and two factor are the only things that help with account security and I can't believe we're clouding the topic when we can't even get people to do that


> halfway to accessing your account

If your password is easier to guess than your username, there's something horribly wrong.

@rune To be fair, there are some risks to user enumeration: it helps attackers find valid accounts that they can go and probe for weak passwords. But the solution to that isn't a strong username, it's a strong password. 🤦 I particularly appreciate that the other half of accessing the account is presumably the password, if only i had a way to generate a unique password per service

@evelyn It's kinda the "other half" the same way that the chances of your account getting hacked is 50/50. Either it gets hacked or it doesn't.

@rune It does not make sense even *generously* because how would one even "try" a username without the password?
That's like saying "nuclear arming codes are made of numbers, therefore in only 10 tries someone can guess the first number, leaving only the rest of the code" in some scenarios it does actually make sense I think, obviously not on social networks, but some services lack social elements and force you to come up with a username anyway, and having a coherent online identity tied by username could possibly maybe be an issue if data is compromised. doesn't help you if they use email addresses to correspond them though.

@evelyn I suppose there are scenarios where it could improve security. Especially with services that have weird password limitations like 12 characters or something.

But if I'm allowed to set a random 20 character password I just wouldn't worry about it. yeah, it's not something I've ever been concerned about, having a lot of distinct and deniable email addresses would be more useful and I don't really do that

@evelyn @rune for non-important services I’ve started using disposable email addresses. For somewhat more important stuff not connected to my legal identity I’ve used firefox relay or similar.

@evelyn @rune I think random usernames are great for most services. For anything that doesn’t obviously require my real identity I much prefer to have entirely separate personas. There is no need for Pinterest/Reddit/Tumblr to know who I am, and nobody needs to connect me across these networks. We leak tons of data - why make stalking me easier than necessary?

@prosaluxemburg @evelyn I like that. That's a good selling point of that feature. Not pretending that it's magic sauce password security, but explaining how you can protect your identity. I think for social networks there's still a value in choosing the name yourself rather than automatically generating it, even if you try to keep your online identity fragmented and use radically different usernames. Personally I use a lot of different usernames but I tend to pick them myself, I wouldn't feel quite right with a totally random one

@evelyn @rune I completely agree! I mostly appreciate the randomness when I want to share as little of myself as possible for whatever reason.

@rune There is one valid point, though: Having a unique username for every service makes it harder to connect the dots between several pwned accounts and harvested data. But it's not really that important with unique passwords and 2FA anyway.

@trezzer You'd also need to generate unique emails for every account or it's back to square one.

Sign in to participate in the conversation

Mastodon Community of Denmark (MCD) for Danes and other people to talk about Denmark or whatever.