Only if you like to make things more complicated than they need to be.
I’ve seen people use password-like usernames, but not for the reasons you mention.
And I haven’t seen any services that require usernames to look anything like a password.
Honestly, I don’t think it’s worth the inevitable confusion — but there are other problems at play as well.
The ability to have or make a truly random username is often not an option. They are recoverable, and are not treated with the same security measures passwords are. While it might make an account slightly more obscure, it would also add confusion and be one more thing to forget. You’re better off increasing the security of your account by adding two-factor authentication wherever possible.
It’s not always an option
Sometimes an account doesn’t have a separate username (or ID). Even if there is, it may be assigned rather than something you can choose. For instance, it’s common for your email address to be used as your username. That’s convenient because it is simple, easy to remember, and easy to tell people.
Having a password-like username often isn’t an option.
It’s often recoverable
Even if a service allows you to have a separate and distinct username — whether you can choose it or not — chances are your email address is still used as part of the account-recovery process.
I’ve run into sites that offer separate “Forgot your password?” and “Forgot your username?” recovery options. Either can be used to recover your account — even if they have to be used in sequence — by sending confirming messages to your email address. If a hacker has access to your email account, he or she can reset your username as easily as your email.
Having a password-like username doesn’t add any significant security.
It’s discoverable in breaches
A well-secured user database should always have your passwords one-way encrypted. A hacker should never be able to figure out your password from the information in a security breach.
On the other hand, usernames aren’t considered sensitive information and are generally not encrypted. A breach will almost certainly expose usernames and/or email addresses.
Having a password-like username doesn’t prevent it from being discovered in a breach.
It’s one more thing to forget
I hear from people every single day who have lost or forgotten their passwords. I can only imagine what would happen if they selected a password-like username.
People often can’t even type their own email addresses correctly (which is why so many services insist you type it in twice). Typing a complex username? A recipe for disaster, if you ask me.
This objection can be mitigated by using a password manager that remembers and enters both your username and password for you.
But in general, having a password-like username makes it harder for you to use it.
You’re welcome to do it!
All that being said, you’re more than welcome to do it. There’s nothing that says you can’t have a username of “wk4vB99wSh3z63gF3Aqc” or an email address of “n9mBYUrsAZ4Zd9zSrAv5@outlook.com”.1
But given how public usernames and email addresses are generally used, I just don’t see it adding significant security. Some? Sure. Enough to make it worth it? Not in my book.
Much better security, with much less confusion and risk, would be to add two-factor authentication to any accounts that support it.
Should I at least have different usernames for different accounts?
You absolutely should use different passwords for different accounts. One school of thought says you should treat usernames the same way.
As we’ve seen, it’s sometimes impractical, as when your email address is used as your username. You could create new email addresses, but that would get old pretty quickly.
If you go this route, I don’t think there’s a lot of added value in making the usernames random; make them variations of your normal username with something to indicate the service to which they’re unique.
Since it’s simple for me to do on the domains I own, I have set up a couple email accounts specifically for certain high-profile accounts, like my Amazon account. They’re not particularly difficult to discover and don’t really add much protection to the accounts. Instead, they serve as early warning signs of other problems. Getting an email from anyone but Amazon on my Amazon-specific email address would be something worth investigating.
Scenarios where random usernames have value
There are two scenarios where you see random usernames and email names, like our “wk4vB99wSh3z63gF3Aqc” and “n9mBYUrsAZ4Zd9zSrAv5@outlook.com” examples above.
- Individuals attempting to be anonymous. Randomness is one less thing to be traced back to you.
- Spam.
Though, now that I think about it, spam uses it in an attempt to hide its origin, #2 is also about trying to be anonymous.
Do this
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!
Podcast audio
Footnotes & References
1: As long as it’s not already taken. :-)
Nice topic Leo. Okay, I get your point on complex usernames. I always shied away from firstname. lastname@domain.com.
Thought?
I have mixed feelings. Chances are your first name and last name are already exposed some other way (like in the display text associated with the email address) so you’re not really hiding your name. Then it probably boils down to how common a name you have. john.smith might be one to avoid, just because hackers will probably try it. leo.notenboom perhaps not.
I think full names, regardless of commonality, are better than what many people consider to be “vanity” addresses, like firstname only. I can confirm that over the years my leo@ email addresses get more spam.
As for usernames — as I said in the article I’m not as concerned about making them complex. Most of my user names are “Leo” when I can pull it off, but then protected with strong passwords and 2FA wherever possible.
In the early days of email, I had a friend who appended her phone number to her name. She said that a simple name is much easier for the spammers to guess, and a more complex email wouldn’t draw as much spam. I’ve observed that my email addresses containing numbers get less spam than the ones with my name only.
i use password like user names because it would be harder for someone else to guess it.
i do the same thing with security questions. like, what high school did you attend?
family members know the true answer. put in 5 or 6 random characters and they won`t
get in. or use an out of context answer like dinosaur. but for hackers, if they`ve gotten
that far, you ain`t gonna stop them at that point anyway.
Password-like security question answers are a good idea, but as the article states, the protection offered by using an obscure username is insignificant.
Regarding security question and answers… As long as the answer have no actual link to the question.
The name of my first pet ? Checoslovakia
The name of my grade school ? Barnard Star.
Don’t worry, I’ve never used THOSE specific answers anywhere :)
I do the same as GlenLW with LastPass. I choose an Easy to Say word for usernames and answers to security questions. I save the username in that field, and save the answer to the security questions in the Memo field. Never had any problems, since LastPass takes care of entering it in.
Just a couple of general questions.
1. Where has the “AskLeo!- Archives” gone? The URL I used before is no longer valid.
2. Is it possible to save one of your Articles as a PDF? No PDF’s seem to display properly (lines missing).
Thanks
Article archives
https://newsletter.askleo.com/2021/ Just change the last digit or 2 of the date to get the newsletters from a different year