19 February 2011

Is your username too unique?

The Telegraph reports how spammers can now target their phishing attacks by cross-correlating usernames from multiple sites...
French security academics... harvested almost 10 million usernames from Google, eBay and MySpace.

Using statistical analysis techniques they showed that it is possible, to a high degree of certainty, to track about half of internet users across the internet based on only their username. They also showed that the more unique - the more entropy it has - the username, the more likely it is that it can be linked to a real person...

The researchers argue that such targeted phishing emails would trick more people into clicking on malicious links that allow criminals to take control of computers...
Passwords, by contrast, need to be totally unique.  But with usernames, it may sometimesbe better to blend into the crowd (or at least not to use the same username at different sites).  The research team presents a site where you can test your username to see how much entropy it has.


  1. If you google my username...the results are all me. Though I do have other names for other sites/parts of the internet.

  2. I didn't think about it when I first established myself as Funder, but I'm pretty happy with the bit of obscurity I get - it's also a real word, so just googling for funder gets you a bunch of venture capitalist stuff. :) And like blitherypoop (love the nick!) I've got independent usernames for some sites.

  3. Test site hasn't been working all day...Says, "We are sorry but, due to the high load, the service is momentarily down. Please try again in a couple of minutes," but obviously something more serious is wrong with it.

    It's not going to help me anyway because on most sites my username is two words (some require me to delete the space), but the test doesn't deal with two-word usernames. That's kind of odd, because they're not uncommon (and some folks' usernames are more than two words).

    --Swift Loris

  4. "but obviously something more serious is wrong with it"

    ...maybe because they were using it to get usernames to start tracking?? lol. Wouldn't that be ironic?

  5. I've been wondering if it's a honeypot for idiots. Luckily it's down so I'm not tempted to be an idiot :)

  6. What Funder said.

    The link could be what is called a honeypot.
    Re:The link provided.
    You type in a user name and that proves that the user name is "live"

    All that is missing is "type in your passoword and we will make sure it is unique/safe/long enough"
    You get the idea....

  7. That might be one way to catch "live" usernames. Another would be to just watch any old blog to see who posts.

    Seriously, who cares?

  8. Anonymous cares. Because people are dumb and use the same usernames and same passwords across multiple sites, and that's how big hacks happen.


Related Posts Plugin for WordPress, Blogger...