Names is for Tombstones Baby

A few days ago, there was one of those daft debates raging in our office. You know, the ones that spontaneously take hold like a wave of mass relief after a particularly busy morning or a particularly intense meeting, and then refuse to die down.

The debate was around whether Sean Connery or Roger Moore made the best James Bond, and, as an American, I have to tell you that I felt well out of it. Until, that is, one of our resident mimics started aping a line from the Mr Big/Dr Kananga character in the Live and Let Die film.

In a rare example of Bond having the wind completely taken out of his sails, the agent begins his customary introduction with "My name...." and his nemesis promptly cuts him off with: "Names is for tombstones, baby."

And that kind of set me thinking, because the concept of the "name" has become particularly problematic in internet terms over these past few weeks and months. Indeed, the ubiquitous username now finds itself vilified as never before, thanks to several separate issues.

Firstly, we had the multiple website hacks (LinkedIn, Yahoo, nVidia, Burberry), which resulted in username and password data being filched and the accounts of many tens of thousands of users being compromised.

I wrote about this in my blog recently here, so I'm not going to dwell on it, except to reiterate that having one username immutably linked to one password in a monster file that sits on a website like a big, juicy treasure trove, is pure hacker porn. It will bring them back again and again.

Username fixation

But there are two other recent stories that set my username fixation twitching. The first, inevitably, was the catastrophic DropBox breach of 18 July, which first came to light when the company stated that users of their service had been receiving spam to email addresses that were associated only with Dropbox accounts.

The cat clawed its way fully out of the bag a couple of weeks later when DropBox admitted that "usernames and passwords recently stolen from other websites were used to sign in to a small number of DropBox accounts". Rather cruelly, one of these compromised accounts belonged to a DropBox employee and contained "a project document with user email addresses." Oops.

Now, there are trendy security specialists out there who write a lot more forensically than I do about this kind of stuff, and are currently busy picking all sorts of other nits out of what DropBox did and didn't do, in an attempt to vilify their competitor and draw the debate away from the inherent weakness of the omnipresent username.

This is quite simply because they, themselves, base access to their security products on usernames and passwords. Tut tut.

In fact, they really are bypassing the principal underlying issue here, which is that we feeble-minded human beings can't memorise infinite combinations of different usernames and passwords for different sites - so we tend to use the same username and password for several sites.

A recent study by Experian found that internet users in the UK have, on average, 26 different email accounts. Score one of those username/password combinations, and you've a good chance of scoring several of the others - maybe even all of the remaining 25.


And, as the DropBox debacle appears to have shown, it only takes one of those compromised users to be "in the trade" and using the same username and password for both professional and private purposes to create the "perfect storm" that can give hackers corporate-level access to something much, much bigger. Scary.

The second username-focused story that set off my nervous tic recently came with the gathering publicity surrounding the forthcoming release of Windows 8. Trawling the blogs and discussion forums that are abuzz with opinions on this subject at the moment, I unearthed some interesting commentary.

For example, you apparently need a Microsoft Live account for the Windows 8 cloud experience, so basically every service within that environment appears to be sharing the same Live login details. So, if you've got Skydrive, an HTC phone and Hotmail, for example, then any compromise of the Live username/password could enable a hacker to delete everything on your Skydrive, locate and erase your phone, and delete all your contacts and emails. Neat.

Now let's be clear, here, usernames, passwords, even PINs, can all be beaten out of people - any kind of authentication can be compromised that way (our Chief Cryptographer, Dr Michael Scott, who blogs here, calls this the "rubber hose school of decryption").

But my concerns here aren't around that. Rather, they're around whether, internally, between applications, the security surrounding the Live username and password information is sufficiently strong to prevent its being hacked in transit.

And until Judge Bill Gates gives me a call to put me straight, I'm afraid the Spector jury is still out on that one. Basically, I just don't trust them old usernames, people. They're useless without a password and ten times more dangerous. For DropBox, they may even be their internet epitaph.

Strangely prophetic words from a fictional character in a 1970s movie, don't you think?

Brian Spector, CEO of CertiVox