2

I signed into my bank's website and they demanded I change my username because it was found on the web--duh, it's my name and I've been online since the old BBS days. Huh? Since when are account names something to be protected?

The rules presented for usernames included that it couldn't be part of my e-mail. However, after rejecting (firstname)(lastname) their system suggested (firstname)_(lastname). Is the latter really any more secure?

Is there reason behind this or is it just "cargo cult" behavior?

Loren Pechtel
  • 773
  • 4
  • 9
  • 2
    We are only getting your summary of what the bank said. If you want us to evaluate their choices, you need to provide details. As it stands, this is more of a rant than an objective question. – schroeder Apr 02 '21 at 08:20
  • 1
    Some users have habit of keeping same username and password across websites. They are assuming that it could br you. – defalt Apr 02 '21 at 09:19
  • @defalt Aha! That could be a reason behind it. I know better than to reuse passwords but I could see this is as protection against people who don't know better. That doesn't explain the not matching the e-mail rule, though. – Loren Pechtel Apr 02 '21 at 18:24
  • One other aspect of security is availability. If there are limitations placed to only allow x login attempts before locking an account (my old workplace had this), then someone with all of the user accounts and appropriate access can run through the entire list and lock everyone out by attempting to login x times. – user Jun 02 '21 at 12:33

2 Answers2

0

Different usernames

What I think the reason for that is to avoid credentials reuse across multiple websites.

No Firstname Lastname Usernames

I believe is because they try to avoid phishing. In case a user's username is Bill Mat and his email address is billmat@gmail.com, you give a scammer a good base to create a better phishing email.

schroeder
  • 129,372
  • 55
  • 299
  • 340
user3347882
  • 151
  • 5
  • It didn't actually have a no Firstname Lastname username rule--it's just my e-mail is FirstnameLastname. – Loren Pechtel Apr 03 '21 at 19:45
  • "a large number of bank customer" are across a wide demographic. That entire sentence is biased and naive beyond reason and it is completely unnecessary. The demographic that reuses passwords more often are the 18-24 crowd. – schroeder Jun 02 '21 at 13:20
  • @schroeder "The demographic that reuses passwords more often are the 18-24 crowd". Unless you can cite an authoritative source, I'd say "That entire sentence is biased and naive beyond reason". – EdStevens Jun 02 '21 at 13:55
  • @EdStevens three words "password reuse demographics" Google that and you will find studies over the past *20 years* showing the breakdown. Studies that have been so common and consistent that I'm shocked that we still need to bust this myth that seniors are the default cybersecurity risk. – schroeder Jun 02 '21 at 14:12
0

I think it may help to prevent large scale attack, where attacker gathered a list username-password leaked online, and try to login all of them into the bank.

However, if attacker wants to target a specific user, or small group of users, hiding username cannot stop them. I know of a website that try to hide username on login page, but it also has 3 (or more) features that can be used to enumerate username.

trieulieuf9
  • 61
  • 5