Technology in terms you understand. Sign up for the Confident Computing newsletter for weekly solutions to make your life easier. Click here and get The Ask Leo! Guide to Staying Safe on the Internet — FREE Edition as my thank you for subscribing!

Should Your Username be More Like a Password?

Only if you like to make things more complicated than they need to be.

System Login Dialog
(Image: canva.com)
Occasionally people suggest that usernames should be treated like passwords. While there's some merit to the idea, it's ultimately impractical.
Question: Wouldn’t it make sense to have usernames follow the same rules as passwords? Wouldn’t that make things even more secure, if the hackers couldn’t guess the username as easily as I assume they can? I’m surprised no one’s done this.

I’ve seen people use password-like usernames, but not for the reasons you mention.

And I haven’t seen any services that require usernames to look anything like a password.

Honestly, I don’t think it’s worth the inevitable confusion — but there are other problems at play as well.

Become a Patron of Ask Leo! and go ad-free!

TL;DR:

The ability to have or make a truly random username is often not an option. They are recoverable, and are not treated with the same security measures passwords are. While it might make an account slightly more obscure, it would also add confusion and be one more thing to forget. You’re better off increasing the security of your account by adding two-factor authentication wherever possible.

It’s not always an option

Sometimes an account doesn’t have a separate username (or ID). Even if there is, it may be assigned rather than something you can choose. For instance, it’s common for your email address to be used as your username. That’s convenient because it is simple, easy to remember, and easy to tell people.

Having a password-like username often isn’t an option.

It’s often recoverable

Even if a service allows you to have a separate and distinct username — whether you can choose it or not — chances are your email address is still used as part of the account-recovery process.

I’ve run into sites that offer separate “Forgot your password?” and “Forgot your username?” recovery options. Either can be used to recover your account — even if they have to be used in sequence — by sending confirming messages to your email address. If a hacker has access to your email account, he or she can reset your username as easily as your email.

Having a password-like username doesn’t add any significant security.

It’s discoverable in breaches

A well-secured user database should always have your passwords one-way encrypted. A hacker should never be able to figure out your password from the information in a security breach.

On the other hand, usernames aren’t considered sensitive information and are generally not encrypted. A breach will almost certainly expose usernames and/or email addresses.

Having a password-like username doesn’t prevent it from being discovered in a breach.

It’s one more thing to forget

I hear from people every single day who have lost or forgotten their passwords. I can only imagine what would happen if they selected a password-like username.

People often can’t even type their own email addresses correctly (which is why so many services insist you type it in twice). Typing a complex username? A recipe for disaster, if you ask me.

This objection can be mitigated by using a password manager that remembers and enters both your username and password for you.

But in general, having a password-like username makes it harder for you to use it.

You’re welcome to do it!

All that being said, you’re more than welcome to do it. There’s nothing that says you can’t have a username of “wk4vB99wSh3z63gF3Aqc” or an email address of “n9mBYUrsAZ4Zd9zSrAv5@outlook.com”.1

But given how public usernames and email addresses are generally used, I just don’t see it adding significant security. Some? Sure. Enough to make it worth it? Not in my book.

Much better security, with much less confusion and risk, would be to add two-factor authentication to any accounts that support it.

Should I at least have different usernames for different accounts?

You absolutely should use different passwords for different accounts. One school of thought says you should treat usernames the same way.

As we’ve seen, it’s sometimes impractical, as when your email address is used as your username. You could create new email addresses, but that would get old pretty quickly.

If you go this route, I don’t think there’s a lot of added value in making the usernames random; make them variations of your normal username with something to indicate the service to which they’re unique.

Since it’s simple for me to do on the domains I own, I have set up a couple email accounts specifically for certain high-profile accounts, like my Amazon account. They’re not particularly difficult to discover and don’t really add much protection to the accounts. Instead, they serve as early warning signs of other problems. Getting an email from anyone but Amazon on my Amazon-specific email address would be something worth investigating.

Scenarios where random usernames have value

There are two scenarios where you see random usernames and email names, like our “wk4vB99wSh3z63gF3Aqc” and “n9mBYUrsAZ4Zd9zSrAv5@outlook.com” examples above.

  1. Individuals attempting to be anonymous. Randomness is one less thing to be traced back to you.
  2. Spam.

Though, now that I think about it, spam uses it in an attempt to hide its origin, #2 is also about trying to be anonymous.

Do this

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

I'll see you there!

Podcast audio

Play

Footnotes & References

1: As long as it’s not already taken. :-)

9 comments on “Should Your Username be More Like a Password?”

    • I have mixed feelings. Chances are your first name and last name are already exposed some other way (like in the display text associated with the email address) so you’re not really hiding your name. Then it probably boils down to how common a name you have. john.smith might be one to avoid, just because hackers will probably try it. leo.notenboom perhaps not.

      I think full names, regardless of commonality, are better than what many people consider to be “vanity” addresses, like firstname only. I can confirm that over the years my leo@ email addresses get more spam. Smile

      As for usernames — as I said in the article I’m not as concerned about making them complex. Most of my user names are “Leo” when I can pull it off, but then protected with strong passwords and 2FA wherever possible.

      Reply
      • In the early days of email, I had a friend who appended her phone number to her name. She said that a simple name is much easier for the spammers to guess, and a more complex email wouldn’t draw as much spam. I’ve observed that my email addresses containing numbers get less spam than the ones with my name only.

        Reply
  1. i use password like user names because it would be harder for someone else to guess it.
    i do the same thing with security questions. like, what high school did you attend?
    family members know the true answer. put in 5 or 6 random characters and they won`t
    get in. or use an out of context answer like dinosaur. but for hackers, if they`ve gotten
    that far, you ain`t gonna stop them at that point anyway.

    Reply
    • Regarding security question and answers… As long as the answer have no actual link to the question.
      The name of my first pet ? Checoslovakia
      The name of my grade school ? Barnard Star.

      Don’t worry, I’ve never used THOSE specific answers anywhere :)

      Reply
    • I do the same as GlenLW with LastPass. I choose an Easy to Say word for usernames and answers to security questions. I save the username in that field, and save the answer to the security questions in the Memo field. Never had any problems, since LastPass takes care of entering it in.

      Reply
  2. Just a couple of general questions.
    1. Where has the “AskLeo!- Archives” gone? The URL I used before is no longer valid.
    2. Is it possible to save one of your Articles as a PDF? No PDF’s seem to display properly (lines missing).

    Thanks

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.