Why using the same user ID may give away more than you think - Friday Thoughts

Image001

Roger Grimes posted a very insightful blog about reuse of user ID and passwords, with the usual sprinkling of fairy dust and FUD to create sales for security experts, however it co-insides with Microsoft publishing some data about the reuse of passwords on different web sites and a very good research paper from INRIA in France which asked “How unique and traceable are usernames

Essentially can identities established on multiple web sites be linked together based on the usernames to recreate an “identity” and what are the implications for privacy?  INRIA experiment looked at over 10 million usernames from popular services such as Google and eBay. In some of the tests, Google profiles that listed multiple accounts on different web services were used to establish “ground truth” about linked usernames.

The first finding was that the usernames chosen by people on the various websites tend to be very unique, with a probability of duplication being approximately one in one billion. This was true for a variety of web services, including a corporate network, Finnish web forums, and MySpace.

Second, the researchers found that when people used different usernames for different services, many of the usernames were constructed by making very small changes to existing usernames (e.g., sarah, sarah2).

Third, the study demonstrated that more than 50% of the usernames created for different services could be linked to one another because the username was identical, or very similar, and unique from other usernames.

Whilst privacy is a setting and you choice to limit the data about yourself on a case by case basis which each digital service (ebay, picasa, flickr, facebook, twitter, google, blogger, etc, if your profile can be linked to other services from other providers than it would appear to be feasible to build a more detailed personal profile from the various bits of partial information.

That being the theory someone quickly wrote a software application as a demonstration that theory has some justification. A quick examination of people using anonymous file sharing services (private BitTorrent trackers) found that 13 out of the 20 usernames examined could be linked to other web services (e.g., YouTube, eBay) and 4 usernames could be linked to real-world identities.

Two Sides

1.      Having everything linked could save you a lot of time and bring you value and so what these are not critical services (but I bet you use the same for banking…)  Google will do this for you (new service 17 Feb 2010) as part of their social search.

2.      Breach one, breach all.

Outcome

We need something better then Username and Passwords

 

Image from http://twitter.com/#!/STOP_IDFRAUDUK