How I can change the Username itself, not just the password.

Hw 2 change my user name

alexthefool wrote:
It is a simple math, man. Guessing one password is easier than guessing two. If you think otherwise please explain.:p

Let’s keep it simple just for an easy to calculate example, passwords using numbers only; Using two passwords; Password 1 – 4 digits – 10,000 possible combinations Password2 – 4 digits – 10,000 possible combinations The user is not informed which one is incorrect, so the number of possible combinations of the two passwords is 10,000 * 10,000 = 100,000,000 Using one password; Password – 8 digits – 100,000,000 possible combinations Unless people are using the entire 31 possible characters of the password then there’s nothing gained security –wise by having a changeable User ID. If people are using a 31 character password properly then the number of unique passwords is astronomical, will never be guessed. The User ID is for identification, not a password, and in this case of the home router – single admin function it’s fairly redundant. Use the password properly and all is well. These Cisco 7000 series devices cost many thousands, this particular one is about £32,000 in the UK). They have a fixed Admin account that cannot be changed, and only require a password to be entered to access that user level. They are considered highly secure and will not be out of place in a military network (I use them). http://www.cisco.com/c/en/us/products/collateral/switches/nexus-7000-10-slot-switch/Data_Sheet_C78-437757.html

fordem wrote:
You can, if you so choose, create users, with different levels of access on most Cisco IOS versions.

I know, but can you delete/remove/rename the Admin User? While everyone is correct in saying that having a user selectable Admin ID should be relatively easy, it would require a change to router code, something else to store. It would as has been mentioned lead to more issues with support, and more people who having forgotten the User ID / Password having to factory reset, a password alone is easier to remember. But the argument that this makes things more secure leads me to question why people might think that the password alone is not secure, and if the password can be ‘guessed’ then why can’t the User ID be equally easily guessed? The password field is 31 characters long, and if the admin can’t make a secure password out of that then changing their User ID to something other than Admin isn’t likely to help at all.

A consumer router is intended for a single user to log in and manage settings. There are no facilities to log who made what change and when. If the desire is to have multiple user accounts, this is probably not the type of device you should be looking to install on your network.

Regarding the math behind what makes the log in secure, having the ability to change the user id really makes no difference if the password is secure. I could argue that having no user id at all and a very secure password is just as safe as having a fixed and known user id and a very secure password, due to the permutations of characters allowed and number of characters used. Additionally, a known user id and a secure password could be just as difficult to hack as a unknown user id and an insecure password.

As an example of the above, most utilities, banks and even corporations such as Google or Apple have a known user id (your email address), and require only the password to be secure.

Just wanted to clarify some previous comments regarding two factor authentication, as I believe there is some misinterpretation of what that means. Most implementations of this type of verification require two items, usually something you know (a password), and something you have (such as a phone which can receive a text message, or an automated call). A user id and password combination is not a valid example of what is commonly known as two factor authentication.

Babylon5 wrote:

These routers are single user admin, there is no need for multiple admin accounts even if you could have more than one person performing that role. Neither of those two examples are any easier to guess than example 4 above, if you think otherwise please explain. What is being effectively asked for here is to change the User ID into a kind of password, i.e. a router with two passwords, and I would say that's really only of any security value if the all characters of the existing password are used (which on its own would be monstrously difficult to determine if good password selection is used)

I would only say a router is a single legitimate user device. There surely more than one person, the administrator, who wants to log in. Otherwise, no password is needed at all.

It is a simple math, man. Guessing one password is easier than guessing two. If you think otherwise please explain.:p

And yes, asking to change the username actually is asking to set up a two passwords authentication system.:eek: It is enlightening to me. Be frank, I am not an IT professional. I have never ever thought in this way as an end user.:o As a low technique paranoid end user, two "passwords" is more safe than one.

I don't disagree one password can be very secure, even secure enough. My password is monstrous. It consists of over 20 digits (something like repeating Bblon5329067 three to four times). I still think that it may be good enough, but it is not difficult to make it better.

By the way, sometimes we may need to think of some careless users who keep using easy passwords (like my colleague who got his NAS cracked:D). For example, which one is easier to crack if you were a hacker?

user: admin (fixed)
password: 12345

user: root (set by the silly user and unknown to others)
password: 12345

well, I admit, both are easy enough, but still, the first one is few seconds easier. If lucky enough, the second one can be protected once or twice by the blocking wrong password mechanism, if there is any.

Babylon5 wrote:
At work I use Cisco routers costing thousands of pounds, they have no admin ID either, they only prompt for a password, no mention of a User ID.

You can, if you so choose, create users, with different levels of access on most Cisco IOS versions, and almost every installation I have seen will only allow access without a userID from the console - for security reasons.

A NAS is a multi user device, and so it’s appropriate to have multiple user IDs. These routers are single user admin, there is no need for multiple admin accounts even if you could have more than one person performing that role. So in effect the User ID is pretty much redundant, and in fact my SOHO router has no Admin ID, that field is simply blank.

What stops people gaining unauthorised access to the router is the password, not the User ID, and if you a want to use the User ID as an authentication field then I have to ask if you are using all the possible characters of the current Authentication field?

What is the difference in difficulty in determining these User ID / Password combinations where both are required to access the account?

1. User ID – FredBloggs, Password 123456
2. User ID – Blank, Password FredBloggs123456
3. User ID – Admin, Password 123456
4. User ID – Admin, Password FredBloggs123456

Anyone who is aware of my router model, a Draytek Vigor 2950, will know that there is no User ID, does that make the router less secure?

At work I use Cisco routers costing thousands of pounds, they have no admin ID either, they only prompt for a password, no mention of a User ID.

What if we had one User ID which is fixed and added a second password i.e. User ID, Password1, Password2, is that so different to what is being asked for here? What about these examples;

1. User ID Admin (openly known), Password1 – FredBloggs, Password2 123456
2. User ID none – not used, Password1 – FredBloggs, Password2 123456

Neither of those two examples are any easier to guess than example 4 above, if you think otherwise please explain.

What is being effectively asked for here is to change the User ID into a kind of password, i.e. a router with two passwords, and I would say that's really only of any security value if the all characters of the existing password are used (which on its own would be monstrously difficult to determine if good password selection is used)

I understand it might be a common practice in many system. Maybe, it is even good enough. But it doesn't necessarily mean it is better.

The example you mentioned are mostly internal, or inside a trust system. What I am concerned is the outsiders, UNtrusted ones. I think you cannot deny that two unknowns is much harder to guess than one unknown. Yes, with other settings such as block the intruder out for a period of time after a number of trials, it might be safe enough. But surely it is billion times more safe if there are two strain to guess.

In my NAS, I stopped the admin account and create another super user with a nonsense name to be the administrator. My colleague who is using the same model of NAS with me, has his NAS been cracked once through the admin login. Perhaps he is more unlucky than me, perhaps he is more silly in setting password. But no one can deny if we look at the very lengthy log of our NAS, there is a load of "admin" trying to login. Anyone who want to crack the NAS from the company will start with "admin" with different password. It is the same case here, anyone who want to crack into the network with the router of this brand, they know where to start with. Of course, how to hide the brand of my router is another issue. In a sense it might be a factor of authentication.

It might be common, it might be "good enough". But it is not difficult to make it better, is it?

Yes, the User ID (who I am) is clearly shown at the top of the window in my Android App with only the last three digits masked, but in any case I don’t have to enter that ID, it’s ‘remembered’ by the App. No, no loss of sync yet, but I don’t tend to use it heavily.

All I am doing is pointing out that not being able to change the Admin ID is quite common, it applies to business grade routers, SAN shelves, servers, UPSs, and many other network devices and software, and that it’s very common in office networks for the User ID to be open to anyone simply from the lock screen of their PC, or by knowing how User IDs are allocated by the IT department (in my office it’s first-name.last-name). Our accredited secret systems also treat the User ID as public information in the same way, they are Orange book compliant.

Your bank is using three factor authentication - who you are (or claim to be), what you know, and what you have. There are quite a few that only use two factor authentication - username & password - and the big difference between these and ecommerce sites that also use two factor is that the bank system force the username to be entered every time you go to the site.

Many ecommerce sites, where the focus is on ease of use rather than security, "remember" you and just require the password to be entered.

All I am doing is pointing out here that whatever the authentication system, if one factor is known, the task of getting in is significantly easier - you seem to feel that the real security is the token, but if I had it, it would not help me any, unless I knew the other two.

From your description I'd guess RSA SecureID - we used that a few years back - does it generate a new token every 60 seconds? Have you had the token generator lose sync yet?

Yes I do use online banking, but the situation you describe does not occur since I don’t used a shared computer to access the account. But a User ID is required and it’s not secret, the extra authentication is a question (which anyone who knows me will know the answer to), and an electronic token generator is used.

Are you suggesting that everything I have posted is incorrect and that standard practice is not to treat the User ID as a public identifier, is the information in those links I posted incorrect, there were a great many more? Do you feel that the security of a router is compromised because the User ID is known, and if so would you also say that the Secret networks I use are also compromised for the same or similar reasons?