[wp-hackers] Author URLs expose usernames

Andrew Spratley aspratley at gmail.com
Thu Jul 19 07:52:39 UTC 2012 

I agree with Otto on this. Hiding usernames on the front end isn't
going to get you much more real security. As has been demonstrated
before, security by obscurity doesn't work long term. Usernames were
never engineered to be hidden. Having strong passwords and mitigating
brute force attacks is going to pay off for you in the long term.

Personally I'd put my security efforts into:

Limiting public login attempts (I'd like to see this in core, does the
aforementioned plugin for on Multisite installs?)
Ensuring strong passwords are used (long and complex)
Making sure my plugins and themes aren't opening my site up to abuse
Ensuring a strong hash is used for PW storage (bcrypt or something
that allows a unit of work to be set for the hash)

This is all assuming you have a secure hosting environment as well.

Re the caching point. As much as we'd all like it to be,
caching/scaling isn't just a flick of the switch and fix it kind of
thing. There're some excellent plugins out there but you really need
to choose something that suits your environment and workload.  Having
a generic solution in core, in my opinion wouldn't be a neat solution
because of the wide number of use-cases it would need to satisfy. When
it comes to caching you need to understand what the performance
problem on your particular site and then fix it.


On Thu, Jul 19, 2012 at 10:00 AM, Tom Barrett <tcbarrett at gmail.com> wrote:
> On 18 July 2012 17:52, Otto <otto at ottodestruct.com> wrote:
>
>> On Tue, Jul 17, 2012 at 11:13 PM, Tom Barrett <tcbarrett at gmail.com> wrote:
>> > The main issue is exposing the username, passing an author id in the url
>> is
>> > just an easy way to find it.
>>
>> Exposing the username isn't the issue. The username isn't secret, nor
>> should it need to be.
>>
>
> I think I see where you are coming from. And possibly, in an ideal world, I
> agree with you.
>
>
>> The issue is allowing brute-force attacks to be carried out against
>> your site, and having passwords that can be brute-forced to begin
>> with.
>>
>
> I do completely agree with this. Users choosing bad passwords and making
> brute force attempts easy is a huge part of this security issue.
>
>
>> Consider the case where the username would be considered "secret". A
>> brute-force attack would now have to work against both the username
>> and the password. This is mathematically equivalent to knowing the
>> username and just making the password roughly twice as long.
>>
>
> Which would mean much more than just doubling the time it takes to brute
> force it (see below).
>
> However, it's not really equivalent, because while security
>> professionals have been saying to make your passwords hard for
>> decades, they have not been saying to make your usernames hard as
>> well. Usernames are more likely to be all lowercase, for example. It's
>>
>
> Passwords are controlled by the users (they can change them to what they
> want). Usernames can be set up initially to be somewhat complex, and the
> user cannot change it.
>
>
>> easier to brute-force a username than to brute-force a password,
>> basically. So hiding the username isn't adding a whole lot of extra
>> security to this particular attack-vector. Making the password more
>> complex or longer adds a ton more security.
>>
>
> I appreciate I'm looking at this a little simplistically. However, above
> you say that hiding the username lengthens the password and a longer
> password is better security.
>
>
>> What's more, usernames themselves are generally *known* anyway. Most
>> modern systems don't even have usernames, they simply use the email
>> address as the username. The real security is in the password and the
>> difficulty therein.
>>
>
> Is it not worth pursuing a non perfect solution that does add some security
> before something better comes along? You don't think the ease with which
> anyone can, by default, find out all the usernames makes it easier to hack
> a WordPress installation? It is not a risk at all? Or it is not a
> significant enough risk?
>
>
>> If you want to stop this sort of thing, attack the real problems. Stop
>> the brute-force attacks from working at all by using a plugin like
>> Limit Login Attempts
>> (http://wordpress.org/extend/plugins/limit-login-attempts/)
>
>
> Again I agree with you. I always recommend this plugin.
>
> --
> http://www.tcbarrett.com | http://gplus.to/tcbarrett |
> http://twitter.com/tcbarrett
> _______________________________________________
> wp-hackers mailing list
> wp-hackers at lists.automattic.com
> http://lists.automattic.com/mailman/listinfo/wp-hackers

More information about the wp-hackers mailing list