How I can change the Username itself, not just the password.

I hope we can do that in the coming firmware.....
Frankly, no need to try the username is half the way to crack in the router.

They have included on their KB articles that the username of the router cannot be changed.

alexthefool wrote:
Frankly, no need to try the username is half the way to crack in the router.

That’s not correct, you are confusing Identification and Authentication, the User ID is as implied - an Identifier.

I work on Secret networks, if you were able to walk into my office and access a computer you would be able to enter my User ID without any problems (or anyone else in my office), it’s my name. That’s common for many networks.

The reason that the router does not have a changeable admin ID is that it’s not the kind of device that would have multiple administrators, so maintaining a record of the current Admin ID would be a wasted effort.

Here’s some links, there are thousands of similar links if you search for something like “What is the difference between identification and authentication”

https://technet.microsoft.com/en-us/library/cc512578.aspx

http://science.opposingviews.com/difference-between-identification-authentication-3471.html

http://security.stackexchange.com/questions/10933/difference-between-authentication-and-identification-crypto-and-security-perspe

http://www.infosectoday.com/Articles/AU5219_C01.pdf

There is a security risk in not allowing the name of the admin user to be changed - this is what's called two factor authentication, you need to know two things to get access, the ID & the password, and you already know one. A few decades back, when I was doing IBM midrange support one of the presenters at a seminar was touting the security of the AS/400 series as unparalleled until I pointed out exactly what you see above, OS400 would actually tell you whether the username or the password was wrong - contrast that to many platforms that will only tell you that one of the two is wrong, leaving you to figure out which of the two it is. Back then, I could spend half an hour chatting with a machine operator in the break room over lunch, and then walk up to their workstations and login as them, typically guessing their password within three tries - IBM training provided specific examples to passwords, and many of the users, not realizing that those were simply guidelines, took the examples back and used them literally - husband's names, children's names, that sort of stuff. Not allowing the username to be changed is a support issue, we are dealing with consumer product that typically ends up in the hands of users who, given the ability to change more that necessary, will get themselves deeper into trouble.

As I say, the user ID is commonly known, it’s handled as public information. Every member of these forums knows the User ID of every other member. I can attempt to log in as anyone else, I get five attempts and I am then locked out from logging in (as anyone) for 15 minutes, with an e-mail sent to the person who I attempt to log in as. I know the login IDs of every person in my company. If I walk up to a computer that is at the lock screen and I press a key a message on screen will tell me that User-ID is currently logged in. If I repeatedly try to log in as that person the computer locks out for a period of time. If I go to the C:/Users directory of the PC I will see a list of all users who have successfully logged into this PC as the system has added profiles for them, the directory names are all the same as their User ID. I am not at all concerned that people in my company know my User ID for both General and Secret networks because I know that they don’t know my password. If I have network problems at work and I call the IT department, one of their first questions is ‘what is your User ID?’, they may have the ability to reset my password, but they have no visibility of my chosen password and will never ask for it. I am not concerned that people can attempt to log in as me in these forums, because I know that they don’t know my password, and will not guess it (it’s part pseudorandom, long, and contains a mixture of cases and special characters). Many trusted systems have default User IDs that cannot be changed, e.g. admin, root, administrator, sys, system. My point is that even high level trusted systems do not normally do anything to obscure/hide User Identification, and I can guarantee that even though my User ID is publicly known that information does not put people ‘half way’ to ‘cracking’ my account.

Let me ask you this - do you use online banking? The next time you go to the bank's web portal login to your account, does it prompt you with the user name of the last person who logged in from that computer?

Yes I do use online banking, but the situation you describe does not occur since I don’t used a shared computer to access the account. But a User ID is required and it’s not secret, the extra authentication is a question (which anyone who knows me will know the answer to), and an electronic token generator is used.

Are you suggesting that everything I have posted is incorrect and that standard practice is not to treat the User ID as a public identifier, is the information in those links I posted incorrect, there were a great many more? Do you feel that the security of a router is compromised because the User ID is known, and if so would you also say that the Secret networks I use are also compromised for the same or similar reasons?

Your bank is using three factor authentication - who you are (or claim to be), what you know, and what you have. There are quite a few that only use two factor authentication - username & password - and the big difference between these and ecommerce sites that also use two factor is that the bank system force the username to be entered every time you go to the site.

Many ecommerce sites, where the focus is on ease of use rather than security, "remember" you and just require the password to be entered.

All I am doing is pointing out here that whatever the authentication system, if one factor is known, the task of getting in is significantly easier - you seem to feel that the real security is the token, but if I had it, it would not help me any, unless I knew the other two.

From your description I'd guess RSA SecureID - we used that a few years back - does it generate a new token every 60 seconds? Have you had the token generator lose sync yet?

Yes, the User ID (who I am) is clearly shown at the top of the window in my Android App with only the last three digits masked, but in any case I don’t have to enter that ID, it’s ‘remembered’ by the App. No, no loss of sync yet, but I don’t tend to use it heavily.

All I am doing is pointing out that not being able to change the Admin ID is quite common, it applies to business grade routers, SAN shelves, servers, UPSs, and many other network devices and software, and that it’s very common in office networks for the User ID to be open to anyone simply from the lock screen of their PC, or by knowing how User IDs are allocated by the IT department (in my office it’s first-name.last-name). Our accredited secret systems also treat the User ID as public information in the same way, they are Orange book compliant.