DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

Vigor2620Ln admin user change

  • timo_w2s
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
13 Jun 2020 15:00 #7 by timo_w2s
Replied by timo_w2s on topic Re: Vigor2620Ln admin user change
Not disagreeing with using a strong password but surely not knowing the username OR password makes it even harder to guess the correct combination?

Please Log in or Create an account to join the conversation.

More
20 Jun 2020 09:11 #8 by admin
Replied by admin on topic Re: Vigor2620Ln admin user change

timo_w2s wrote:
Not disagreeing with using a strong password but surely not knowing the username OR password makes it even harder to guess the correct combination?



No, because they're they same factor type.
admin/12345xxxxxxxxxxxxxxxx and
12345/xxxxxxxxxxxxxxxx would be equally secure

(where the first part is the username).

The username is only useful in distinguishing accounts, not security.

Forum Administrator

Please Log in or Create an account to join the conversation.

  • hornbyp
  • User
  • User
More
20 Jun 2020 14:36 #9 by hornbyp
Replied by hornbyp on topic Re: Vigor2620Ln admin user change

timo_w2s wrote:
...surely not knowing the username OR password makes it even harder to guess the correct combination?



Correct!

admin wrote:
No, because they're they same factor type.
admin/12345xxxxxxxxxxxxxxxx and
12345/xxxxxxxxxxxxxxxx would be equally secure



Factor type? ... what's that mean?

If you don't know the Username the password relates to, it's of no use to you at all.

Changing the 'Administrator' username as a security precaution, was something I learned in about 1983 - from the Vax/VMS Security Manual.

Clearing out the last used Username on a Windows logon, is a recommended practice (set via Group Policy).

Please Log in or Create an account to join the conversation.

More
22 Jun 2020 14:38 #10 by admin
Replied by admin on topic Re: Vigor2620Ln admin user change

hornbyp wrote:

timo_w2s wrote:
...surely not knowing the username OR password makes it even harder to guess the correct combination?



Correct!



A username/password "combination" of, say, 10 + 10 characters each is just a combination of 20 characters
so guessing 10+10 is no more secure than guessing 20...

i.e. admin/12345678901234567890 vs. frank/123456789012345

If you don't know the Username the password relates to, it's of no use to you at all.



How would you know a password without a username ? Obviously, you could, but give an example of how it might come about?


Changing the 'Administrator' username as a security precaution, was something I learned in about 1983



Well, assuming the same number of characters in each combination (like above) it's not. It only provides the abilityto differentiate between users.

from the Vax/VMS Security Manual.



Maybe Vax only allowed a limited password length or they assumed people would not use long passwords.

Clearing out the last used Username on a Windows logon, is a recommended practice (set via Group Policy).



That's because in Windows, usernames are used to differentiate users - so if you know "Jim" is the user, you know who your target is, making reconnaisance easier. Also, windows now uses PINs (optionally) which can be very short.

In reality, people won't use long/secure passwords, so a different username does effectively 'extend' the unknown factor length, but that wasn't the point being made. Given a fixed username, a longer password will be as secure than a shorter one with a different username.

Forum Administrator

Please Log in or Create an account to join the conversation.

  • hornbyp
  • User
  • User
More
23 Jun 2020 02:31 #11 by hornbyp
Replied by hornbyp on topic Re: Vigor2620Ln admin user change

admin wrote:
How would you know a password without a username ? Obviously, you could, but give an example of how it might come about?


This is delving into the detail, of how you might attack a particular device.

and he wrote:

because, earlier, I wrote:
Changing the 'Administrator' username as a security precaution, was something I learned in about 1983



Well, assuming the same number of characters in each combination (like above) it's not.


OK, if the word of the once mighty Digital Equipment Corporation is not good enough for you, how about Microsoft?

They wrote:
Because the administrator account exists on all Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), renaming the account makes it slightly more difficult for attackers to guess this user name and password combination.


Taken from this part of their Security Guide: https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account


Maybe Vax only allowed a limited password length or they assumed people would not use long passwords.


I can't remember what the limit was. But using only "A-Z" and limiting the length to 7 characters gives double the number (26?) than could be stored uniquely (The hash of the password was stored as a 32bit value (2³²) ).

"Long" passwords are deemed undesirable these days, since "(they can) result in user behavior that is predictable and undesirable." - Microsoft again.
(Full document here: https://docs.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide , for anyone interested.)

Please Log in or Create an account to join the conversation.

More
27 Jun 2020 12:51 #12 by admin
Replied by admin on topic Re: Vigor2620Ln admin user change

hornbyp wrote:
OK, if the word of the once mighty Digital Equipment Corporation is not good enough for you, how about Microsoft?



You're ignoring my previous point: People do not use sufficiently long/complex passwords, in which case a different usename extends it.
My original point that 5+10 characters is just as secure as 15 characters stands, and is relevant in the context where someone
wants a different username to 'aid security' - the solution is to add that username or any other characters to the password
which is then equally secure.

Forum Administrator

Please Log in or Create an account to join the conversation.