Marginal-Cost Security

People often laugh when they see one of my many online usernames. They are comic, because they are completely unrecognizable and meaningless on their own.

Stroqh59tz5gil9z

See? That’s a crazy username, so why would any reasonable person choose such complex credentials? My defense hearkens back to a fundamental economic law: marginal utility. Random usernames provide disproportionate security compared to the marginal costs associated with using them.

You know what? I use a password manager, such as 1Password, LastPass, or KeePass, and it automatically inserts both my username and password for me. I only know one password and its a real doozy! Because of this, there is zero additional work required on my part to have a random username, just as there is zero additional work required to have a random password.

The Security Risk of Single Online Handles

We’ve all heard that it’s bad to use the same password for all of your online accounts. In fact, there are stories after stories of people being attacked through chaining of credentials across accounts. Someone starts with your Pinterest login and with that they find their way eventually into your email and bank and whatever else. Therefore, we use a separate password and are safe, right?

Well, it turns out that if you have someone’s username and you have a sound of confidence on the phone, you have an effective way of gaining unauthorized access to account information by way of clever social engineering. Suppose, however, that your Pinterest username is pfwkPgtiBzEf_6a8 and your email username is kVZfuvsXjDYGlEZe. In this case, having the information for one account tells practically nothing about the other. (Disclaimer: If someone logs into your Pinterest account, they can read the email address listed on the account, defeating this layer of defense, but that’s a topic for another blog post on obfuscating personal email addresses).

 The Privacy Risk of Single Online Handles

Correlation is a statistician’s friend, building relationships between seemingly independent data. By now, most internet users are aware of the massive spying going on across the internet, by governments and private organizations alike. Your private information is incredibly valuable, and people are harvesting it without your consent. By using such simple algorithms as comparing usernames across different web services, your information can be linked together to build comprehensive profiles. Using a random username adds one more barrier to this process. Pseudo-Random means (mostly) that there is no mathematical way to link up the different strings created as usernames. The data-miners must resort to other more complicated means of correlating them.

Summary

Do we really gain that much by using random usernames? Maybe not, but we get quite a huge benefit in comparison to the marginal cost it took to achieve it. In other words, I may not climb down into a drain to grab a penny shining through to the street above, but if there’s one at my feet I’ll pick it up.

Categories privacy, security, technology

Leave a Reply

%d
search previous next tag category expand menu location phone mail time cart zoom edit close