10 June 2010I was recently notified that danielkennedy74 was following my Twitter feed. It was slightly amusing to see a security professional using "74" post-pended to their user name. It took me back to a simpler time. Back when the internet was young and you signed up for an account it was typical to ask you a few personal details first. This generally included your date of birth. When you requested your account name you'd typically request your name, or some variation thereof. This was back in the trusting old days, and so if your name was taken the system would usually suggest the name you tried plus the year of your birth. So you'd try "DanielKennedy" and the system would say that was taken, but if you were say, born in 1974, the system would suggest "DanielKennedy74" as an alternate username. It was a great scheme, easy to remember, and relatively close to the user's original request. Then came the dark days of the internet, full of hackers and phishers and identity thieves. The world wide webs went from information super highway to wretched hive of scum and villainy (well, not really, but you get the idea). Now stuff like your social security number, home address, and birth date become valuable pieces of information. Many systems will use your birth date as a security question in fact. Most people know this so aren't too shy about giving out the month and date of their birthday, but what happens if your username gives away the year of your birth? I'm sure that nobody who thought up this system ever considered the security implications, and to be completely fair it's an outside threat. However, nowadays leaking any personal information can be dangerous. Every shred can be connected with other shreds to build a dossier that can be used for social engineering, password guessing, or identity theft attack. The more public a person's identity, the more dangerous this situation can become. Sarah Palin's e-mail address being compromised was a prime example. Simple information, combined in interesting ways (such as using alma maters listed on LinkedIn along with birth dates to figure out graduation years) can leak complex information useful to an attacker.