Password managers are low-cost security solutions that can significantly improve security by helping people avoid bad password practices. Oftentimes, all that stands between a hacker and an account containing sensitive data is a password, and the passwords that protect those accounts are often not sufficiently complex.
Passwords can be cracked in seconds using brute force tactics and a computer with a reasonably powerful GPU. It may not even be necessary to guess a password as many people do not set a unique password for all their accounts. If there is a data breach, the passwords obtained can be used with the associated email address – the most common type of username – to access all accounts where the same password has been used. This method of accessing accounts is called password spraying.
The reason why password reuse and the setting of weak passwords are common is simply due to convenience. It isn’t easy to think of a unique password for all accounts, especially when passwords need to be long and complex, and dozens of accounts need to be secured.
Password managers solve this problem by including a secure password generator. The password generator will generate a long, complex, and truly random password consisting of numbers, letters, and symbols, which will be sufficiently complex to resist brute force tactics. A unique password can be created for all accounts, and they do not need to be remembered as they are stored securely in the user’s password vault and will be autofilled when the user lands on the relevant website.
The leading open source password manager provider, BitWarden, has taken security a step further. In addition to having a tool for generating complex passwords, the company has listened to feedback from the community and has now developed a tool for generating unique usernames.
There is a very good reason for not using your primary email address as your username for everything, and that is because it increases risk. It makes password spraying attacks much quicker and easier. Security can be improved by using multiple email addresses. If you use one email address for banking and another for shopping, if there is a data breach at a retailer, the username cannot be used in a brute force attack on a banking website.
The tool was released for the Bitwarden web vault initially, followed by the browser extension and the desktop app. A username generator for mobile applications will be added in a future release.
The feature provides three options for deriving the username:
- Plus addressed email – Use the email provider’s sub-addressing capabilities ([email protected] for example)
- Catch-all email – Use the domain’s configured catch-all inbox
- Random word
“Usernames often come as an afterthought and commonly include a primary email address, a first initial and last name, or even a birth year,” said Kyle Spearrin, founder and CTO of Bitwarden. “Treating usernames with care can be a great way to boost security and privacy practices online.” Using the Bitwarden Generator to create both unique usernames and passwords ensures that a potential data leak from one service does not put any other accounts at risk or reveal any useful information about a user for hackers to leverage in future attacks.