Only if you like to make things more complicated than they need to be.
I’ve seen people use password-like usernames, but not for the reasons you mention.
And I haven’t seen any services that require usernames to look anything like a password.
Honestly, I don’t think it’s worth the inevitable confusion — but there are other problems at play as well.
Become a Patron of Ask Leo! and go ad-free!
The ability to have or make a truly random username is often not an option. They are recoverable, and are not treated with the same security measures passwords are. While it might make an account slightly more obscure, it would also add confusion and be one more thing to forget. You’re better off increasing the security of your account by adding two-factor authentication wherever possible.
It’s not always an option
Sometimes an account doesn’t have a separate username (or ID). Even if there is, it may be assigned rather than something you can choose. For instance, it’s common for your email address to be used as your username. That’s convenient because it is simple, easy to remember, and easy to tell people.
Having a password-like username often isn’t an option.
It’s often recoverable
Even if a service allows you to have a separate and distinct username — whether you can choose it or not — chances are your email address is still used as part of the account-recovery process.
I’ve run into sites that offer separate “Forgot your password?” and “Forgot your username?” recovery options. Either can be used to recover your account — even if they have to be used in sequence — by sending confirming messages to your email address. If a hacker has access to your email account, he or she can reset your username as easily as your email.
Having a password-like username doesn’t add any significant security.
It’s discoverable in breaches
A well-secured user database should always have your passwords one-way encrypted. A hacker should never be able to figure out your password from the information in a security breach.
On the other hand, usernames aren’t considered sensitive information and are generally not encrypted. A breach will almost certainly expose usernames and/or email addresses.
Having a password-like username doesn’t prevent it from being discovered in a breach.
It’s one more thing to forget
I hear from people every single day who have lost or forgotten their passwords. I can only imagine what would happen if they selected a password-like username.
People often can’t even type their own email addresses correctly (which is why so many services insist you type it in twice). Typing a complex username? A recipe for disaster, if you ask me.
This objection can be mitigated by using a password manager that remembers and enters both your username and password for you.
But in general, having a password-like username makes it harder for you to use it.
You’re welcome to do it!
All that being said, you’re more than welcome to do it. There’s nothing that says you can’t have a username of “wk4vB99wSh3z63gF3Aqc” or an email address of “n9mBYUrsAZ4Zd9zSrAv5@outlook.com”.1
But given how public usernames and email addresses are generally used, I just don’t see it adding significant security. Some? Sure. Enough to make it worth it? Not in my book.
Much better security, with much less confusion and risk, would be to add two-factor authentication to any accounts that support it.
Should I at least have different usernames for different accounts?
You absolutely should use different passwords for different accounts. One school of thought says you should treat usernames the same way.
As we’ve seen, it’s sometimes impractical, as when your email address is used as your username. You could create new email addresses, but that would get old pretty quickly.
If you go this route, I don’t think there’s a lot of added value in making the usernames random; make them variations of your normal username with something to indicate the service to which they’re unique.
Since it’s simple for me to do on the domains I own, I have set up a couple email accounts specifically for certain high-profile accounts, like my Amazon account. They’re not particularly difficult to discover and don’t really add much protection to the accounts. Instead, they serve as early warning signs of other problems. Getting an email from anyone but Amazon on my Amazon-specific email address would be something worth investigating.
Scenarios where random usernames have value
There are two scenarios where you see random usernames and email names, like our “wk4vB99wSh3z63gF3Aqc” and “n9mBYUrsAZ4Zd9zSrAv5@outlook.com” examples above.
- Individuals attempting to be anonymous. Randomness is one less thing to be traced back to you.
Though, now that I think about it, spam uses it in an attempt to hide its origin, #2 is also about trying to be anonymous.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Footnotes & References
1: As long as it’s not already taken. :-)