DrayTek UK Users' Community Forum
Help, Advice and Solutions from DrayTek Users
Vigor2620Ln admin user change
- timo_w2s
- Topic Author
- Offline
- Junior Member
Less
More
- Posts: 27
- Thank yous received: 0
13 Jun 2020 15:00 #96387
by timo_w2s
Replied by timo_w2s on topic Re: Vigor2620Ln admin user change
Not disagreeing with using a strong password but surely not knowing the username OR password makes it even harder to guess the correct combination?
Please Log in or Create an account to join the conversation.
- admin
- Offline
- Site Admin
Less
More
- Posts: 1723
- Thank yous received: 0
20 Jun 2020 09:11 #96454
by admin
No, because they're they same factor type.
admin/12345xxxxxxxxxxxxxxxx and
12345/xxxxxxxxxxxxxxxx would be equally secure
(where the first part is the username).
The username is only useful in distinguishing accounts, not security.
Forum Administrator
Replied by admin on topic Re: Vigor2620Ln admin user change
timo_w2s wrote:
Not disagreeing with using a strong password but surely not knowing the username OR password makes it even harder to guess the correct combination?
No, because they're they same factor type.
admin/12345xxxxxxxxxxxxxxxx and
12345/xxxxxxxxxxxxxxxx would be equally secure
(where the first part is the username).
The username is only useful in distinguishing accounts, not security.
Forum Administrator
Please Log in or Create an account to join the conversation.
- hornbyp
- Offline
- Big Contributor
Less
More
- Posts: 1323
- Thank yous received: 0
20 Jun 2020 14:36 #96455
by hornbyp
Correct!
Factor type? ... what's that mean?
If you don't know the Username the password relates to, it's of no use to you at all.
Changing the 'Administrator' username as a security precaution, was something I learned in about 1983 - from the Vax/VMS Security Manual.
Clearing out the last used Username on a Windows logon, is a recommended practice (set via Group Policy).
Replied by hornbyp on topic Re: Vigor2620Ln admin user change
timo_w2s wrote:
...surely not knowing the username OR password makes it even harder to guess the correct combination?
Correct!
admin wrote:
No, because they're they same factor type.
admin/12345xxxxxxxxxxxxxxxx and
12345/xxxxxxxxxxxxxxxx would be equally secure
Factor type? ... what's that mean?
If you don't know the Username the password relates to, it's of no use to you at all.
Changing the 'Administrator' username as a security precaution, was something I learned in about 1983 - from the Vax/VMS Security Manual.
Clearing out the last used Username on a Windows logon, is a recommended practice (set via Group Policy).
Please Log in or Create an account to join the conversation.
- admin
- Offline
- Site Admin
Less
More
- Posts: 1723
- Thank yous received: 0
22 Jun 2020 14:38 #96467
by admin
A username/password "combination" of, say, 10 + 10 characters each is just a combination of 20 characters
so guessing 10+10 is no more secure than guessing 20...
i.e. admin/12345678901234567890 vs. frank/123456789012345
How would you know a password without a username ? Obviously, you could, but give an example of how it might come about?
Well, assuming the same number of characters in each combination (like above) it's not. It only provides the abilityto differentiate between users.
Maybe Vax only allowed a limited password length or they assumed people would not use long passwords.
That's because in Windows, usernames are used to differentiate users - so if you know "Jim" is the user, you know who your target is, making reconnaisance easier. Also, windows now uses PINs (optionally) which can be very short.
In reality, people won't use long/secure passwords, so a different username does effectively 'extend' the unknown factor length, but that wasn't the point being made. Given a fixed username, a longer password will be as secure than a shorter one with a different username.
Forum Administrator
Replied by admin on topic Re: Vigor2620Ln admin user change
hornbyp wrote:
timo_w2s wrote:
...surely not knowing the username OR password makes it even harder to guess the correct combination?
Correct!
A username/password "combination" of, say, 10 + 10 characters each is just a combination of 20 characters
so guessing 10+10 is no more secure than guessing 20...
i.e. admin/12345678901234567890 vs. frank/123456789012345
If you don't know the Username the password relates to, it's of no use to you at all.
How would you know a password without a username ? Obviously, you could, but give an example of how it might come about?
Changing the 'Administrator' username as a security precaution, was something I learned in about 1983
Well, assuming the same number of characters in each combination (like above) it's not. It only provides the abilityto differentiate between users.
from the Vax/VMS Security Manual.
Maybe Vax only allowed a limited password length or they assumed people would not use long passwords.
Clearing out the last used Username on a Windows logon, is a recommended practice (set via Group Policy).
That's because in Windows, usernames are used to differentiate users - so if you know "Jim" is the user, you know who your target is, making reconnaisance easier. Also, windows now uses PINs (optionally) which can be very short.
In reality, people won't use long/secure passwords, so a different username does effectively 'extend' the unknown factor length, but that wasn't the point being made. Given a fixed username, a longer password will be as secure than a shorter one with a different username.
Forum Administrator
Please Log in or Create an account to join the conversation.
- hornbyp
- Offline
- Big Contributor
Less
More
- Posts: 1323
- Thank yous received: 0
23 Jun 2020 02:31 #96479
by hornbyp
This is delving into the detail, of how you might attack a particular device.
OK, if the word of the once mighty
Digital Equipment Corporation
is not good enough for you, how about Microsoft?
Taken from this part of their Security Guide:
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/accounts-rename-administrator-account
I can't remember what the limit was. But using only "A-Z" and limiting the length to 7 characters gives double the number (26?) than could be stored uniquely (The hash of the password was stored as a 32bit value (2³²) ).
"Long" passwords are deemed undesirable these days, since "(they can) result in user behavior that is predictable and undesirable. " - Microsoft again.
(Full document here:
https://docs.microsoft.com/en-us/microsoft-365/admin/misc/password-policy-recommendations?view=o365-worldwide
, for anyone interested.)
Replied by hornbyp on topic Re: Vigor2620Ln admin user change
admin wrote:
How would you know a password without a username ? Obviously, you could, but give an example of how it might come about?
This is delving into the detail, of how you might attack a particular device.
and he wrote:
because, earlier, I wrote:
Changing the 'Administrator' username as a security precaution, was something I learned in about 1983
Well, assuming the same number of characters in each combination (like above) it's not.
OK, if the word of the once mighty
They wrote:
Because the administrator account exists on all Windows 10 for desktop editions (Home, Pro, Enterprise, and Education), renaming the account makes it slightly more difficult for attackers to guess this user name and password combination.
Taken from this part of their
Maybe Vax only allowed a limited password length or they assumed people would not use long passwords.
I can't remember what the limit was. But using only "A-Z" and limiting the length to 7 characters gives double the number (26?) than could be stored uniquely
"Long" passwords are deemed undesirable these days, since "(they can) result in user behavior that is predictable and undesirable.
(Full document here:
Please Log in or Create an account to join the conversation.
- admin
- Offline
- Site Admin
Less
More
- Posts: 1723
- Thank yous received: 0
27 Jun 2020 12:51 #96524
by admin
You're ignoring my previous point: People do not use sufficiently long/complex passwords, in which case a different usename extends it.
My original point that 5+10 characters is just as secure as 15 characters stands, and is relevant in the context where someone
wants a different username to 'aid security' - the solution is to add that username or any other characters to the password
which is then equally secure.
Forum Administrator
Replied by admin on topic Re: Vigor2620Ln admin user change
hornbyp wrote:
OK, if the word of the once mighty Digital Equipment Corporation is not good enough for you, how about Microsoft?
You're ignoring my previous point: People do not use sufficiently long/complex passwords, in which case a different usename extends it.
My original point that 5+10 characters is just as secure as 15 characters stands, and is relevant in the context where someone
wants a different username to 'aid security' - the solution is to add that username or any other characters to the password
which is then equally secure.
Forum Administrator
Please Log in or Create an account to join the conversation.
Moderators: Chris
Copyright © 2025 DrayTek