Random Account Name Generator - New Feature!

What Is It?

As of 2023, Wantegrity has introduced a facility for creating random account names. It is recommended that randomised names should be used as account names for administrator and service type accounts (or any privileged account).

How Does It Work?

It's quite simple. You select the prefix, middle separator and suffix, then press a button to generate a randomly constructed account name. The resulting account name is based on a typical first name + last name format. Both names are randomly chosen from a large database of names. The prefix, separator, and suffix may be combined with the name part to create a fully formed account name that satisifies additional naming convention requirements.

Examples: John.Smith, @Emily.Jones, [Hakeem.Abernathy].

Why Do We Need This?

Hackers use account names to narrow down their search for accounts that have administrator privileges. That is, if a bad actor gets into your network and compromises a machine, they start looking for administrative accounts that they can break into using brute force, pass the hash, and various other methods. The aim is to get control of an administrative account.

Once they have access to an administrator account, the hackers begin to plan and execute on many different damaging options. In most cases, it will be ransomware. But also, it can be stealing sensitive data, fraud, extortion or blackmail.

Unfortunately, organizations often use naming conventions that make it extremely easy for the hackers to figure out which accounts have admin privileges. Account names like: administrator, admin, jsmithadmin, bjenkins.admin, sql.svc, web.service, quickly tell the hacker which accounts are privileged and which have privileged level permissions.

Another problem arises when organizations make their naming convention public. Incredible as this may seem, some organizations actually make their naming conventions public! Here's one of many examples: NCSU EDU Naming Convention. For those organizations, hackers don't even have to try to determine which accounts to target. The organizations provide the information straight to them. Adopting a names only naming convention entirely wipes out this problem.

Yet another problem arises with naming conventions like these:

Account names: joe.bloggs with peter.parker.admin or maryj with maryj-adm.

The problem here is that the bad guys are given an indication that Joe and Mary are in the IT team AND have an admin account. You've given the bad actors two specific accounts to target one of which will definitely have admin privileges and the other one may well have elevated privileges AND accessing Peter Parkers account may well make it easier to access Peter Parkers admin account. Why give so much information to hackers that are already in your network?

So let's do this another way. Let's take the account name naming convention that is used for normal users and apply that convention to all of the administrator and service accounts (or all privileged accounts for that matter). That is, take a user naming convention: "first name" dot "last name", say john.smith, and create administrator and service accounts based on the same convention. Such as: mary.beth and bill.gates. From looking at it, is there any way for you to figure out which one of those accounts is an administrator? No there isn't, so you just made it a bit harder for the bad guys to get control of an administrator account.

Most admin accounts are assigned to IT staff, so remembering user names and passwords is much easier for them. When an IT staff member is assigned a user account, they can handle being given an admin account that uses a unique name. Those accounts are much harder for disgruntled IT users to take over. To cover their tracks, unhappy workers would prefer to use someone else's admin account but with random admin account names, they have to figure out the admin account name first but they're randomised. These countermeasures are not intended to stop anything outright but are intended to slow down the bad actor.

Some security experts will say that doing all this is just "security through obscurity". That this isn't security at all. They would be missing the main point. A common technique to slow the enemy down is to hide important things by blending them into their surroundings. When you name your administrator and service accounts using the same naming convention as your general user, you camouflage the administrator accounts within the user population. Now the hackers have to do more work which slows them down. How much it slows them down depends but when it costs so little to implement the camouflage, why not do it? With the camouflage in place and the bad guys slowed down, you have more time to find them before bad things happen. Slowing down the bad actors is sometimes important just to give yourself that much more time.

We recommend using random account name camouflage! Its implementation and use costs little to nothing while giving organizations a higher level of administrator account protection.

Synonyms of Camouflage
Mask, veil, hide, pose, cloak, cover, screen, blot out, masquerade, pretend, sham, obfuscate.

Copyright © 2023 Wantegrity, Inc. All rights reserved.