Generation Cpanel Username

[vibol]

Hello, as i may know when use order the host blesta will generating username look like.. if domain.com username will be domain

But is there any possible way to make blesta generate the username with a random string or number etc?

 

Thz you blesta team and everybody for suggestion. And please apologize for my English.

[Daniel B]

This isn't possible with Blesta as far as I know, and truthfully I'm glad it's not.  Having a random username doesn't really increase security at all.  In order for someone to get into the account, they need to know the username and the password.  Already having the username does not make it any easier for them to get the password.  So as long as you have a secure password, the username really isn't all the vital.

 

You also come across the issue of having randomly generated names that are hard to remember...which means people are going to need to write them down and save them somewhere...which would decrease security...not increase it.

[vibol]

This isn't possible with Blesta as far as I know, and truthfully I'm glad it's not.  Having a random username doesn't really increase security at all.  In order for someone to get into the account, they need to know the username and the password.  Already having the username does not make it any easier for them to get the password.  So as long as you have a secure password, the username really isn't all the vital.

 

You also come across the issue of having randomly generated names that are hard to remember...which means people are going to need to write them down and save them somewhere...which would decrease security...not increase it.

thz you for good info but as i know i just want a random username for s1**** s2**** because i just to be sure that i can know that the s1 come from server 1 and the s2 come frome server 2 this why i want to generated the username like this... but sorry yes maybe it not possible because not the easy way to do this at all. Many thz

[Paul]

We may add the ability to set some rules on usernames for the module, such as the length of the username, etc.. but it's not likely usernames will be able to start with a server identifier, though it's open to discussion.

 

Ultimately I find having usernames that are constructed from the domain are easier to find. If you know the domain, but not the username, you can find the home directory fairly easily. The case can be made that the username is easier for attackers to guess, but I haven't seen a direct correlation yet in brute force logs. Ultimately, you should assume that an attacker knows the username. Set a secure password, use some type of brute force detection with your firewall.

[vibol]

We may add the ability to set some rules on usernames for the module, such as the length of the username, etc.. but it's not likely usernames will be able to start with a server identifier, though it's open to discussion.

 

Ultimately I find having usernames that are constructed from the domain are easier to find. If you know the domain, but not the username, you can find the home directory fairly easily. The case can be made that the username is easier for attackers to guess, but I haven't seen a direct correlation yet in brute force logs. Ultimately, you should assume that an attacker knows the username. Set a secure password, use some type of brute force detection with your firewall.

Correct! if only random username will be find. So did we need to move my threat to the feature request forum ? thz

[Michael]

+1 I love random usernames when I was a host because it means people can't get in easier if someone was to use a unsecure password. Server handler would be nice too as it means they aren't short on usernames. But I love the ideas Paul was talking about too.

[Paul]

Please start a new thread in the feature request section, and feel free to also link to this one. Your initial post isn't worded like a feature request, so starting a new thread is likely to be more successful.

[Daniel B]

+1 I love random usernames when I was a host because it means people can't get in easier if someone was to use a unsecure password. Server handler would be nice too as it means they aren't short on usernames. But I love the ideas Paul was talking about too.

 

While I don't really see a huge problem with random usernames...if you want to implement random usernames because your users are creating insecure passwords...I'd say that requiring secure passwords would be a much better option than randomizing their username.

[Michael]

The thing is you can't tell whether the password is secure or not, but people will attempt to use the first 8 digits if they want to attack someone, if you don't have BFD installed then it could either lock them out or end up like a small ddos attack depending on how they are trying to attack.

 

If you get a random username that limits that because they will just get locked out for incorrect logins. And they will give up.

 

Like blesta.com would probably be blestaco or webhostingtalk.com would probably be webhosti.

 

Old thread here about it: http://www.webhostingtalk.com/showthread.php?t=1086740

[Tyson]

Security through obscurity is generally a bad idea. You can't assume because a user has a random username that they are any more secure than someone that uses the first 8 characters of their domain name. As the wiki article states, "It is analogous to a homeowner leaving the rear door open, because it cannot be seen by a would-be burglar."

 

Beef up the requirements for your customers' passwords. I think cPanel requires at least an 8-character password, which is too short. If you let Blesta generate one, it'll be 10-14 characters. Of course, users can change it themselves in their cPanel account, but it's ultimately their choice on how secure they want to be with their logins. You can also educate them on this importance to deter them from bad security practices, kind of the give-a-man-a-fish/teach-a-man-to-fish argument.