Welcome to another issue of Secrets of Privacy where we discuss personal privacy related topics and provide practical tips to immediately boost your personal privacy.

If you’re reading this but haven’t yet signed up, join the growing Secrets of Privacy community for free and get our newsletter delivered to your inbox by subscribing here 👇

Quick post here on username strategies. The focus here will be websites like banks, online shops, etc. *Not* usernames for social media or similar accounts that are public facing. Those are different use cases, though you will find some of the guidance below will apply to those scenarios as well.

Background

Usernames are an important, but often overlooked aspect of protecting your personal privacy and security. Most people (ourselves included at one point) use the same username on nearly every website, typically for the sake of convenience. Often that could be your email or the first part of your email.

The problem is that usernames are valuable information for social engineering schemes. For an email-based phishing attempt to be initiated, the Bad Actor must acquire or deduce your email address. If your username coincides with your email address, the scammer will already possess an important piece of information to fulfill their scam.

Tech Advancements

Technology advancements have changed the recommended best practices for usernames. On the one hand, Bad Actors are leveraging AI to create bigger, better and more effective schemes to steal your data. On the other hand, advancements in login/password management software have made it easier than ever for you to manage login information without having to remember each of your 500+ logins you might have. This is a huge win for anyone willing to put in a little effort to make themselves a harder target.

With that out of the way, below are some best practices for creating secure usernames on websites. One obvious problem is websites don’t always allow you to change your username. So for many of your accounts, you’re stuck with the one you currently have. But if you’re like us, you create new usernames almost every day.

1. Avoid using personal information. Never use your personal information such as your  birth date or social security number as your username. That guidance is obvious, but you should also try to avoid using your name, birthday (including year). The only time we recommend using your name is for an isolated professional email address.

2. Never include your phone number or email address. Sometimes the website requires you to use your email address, in which case you don’t have an option here. We recommend using a disposable email address if possible unless it’s a particularly important account that justifies using a more identifiable email address. Bank logins are a good example.

Why You Want to Use Disposable Email Addresses (Part 1)

Secrets of Privacy

·

December 1, 2023

Read full story

3. Make it unique. Choose a username that is unique and not easily guessable or hackable. Consider adding a combination of letters and numbers to create a unique username. Including symbols is probably overkill but there’s nothing wrong with doing that. If you’re struggling with creating a name, consider using a username generator, which can be found on a number of sites via a web search. If you’re a Proton user, you can leverage SimpleLogin’s email generator to come up with unique usernames.

4. Store Somewhere Safe. The most secure way to store usernames these days (both at home or at work) is to use a reputable password manager, preferably one that is open source. Credentials should be encrypted and securely stored on external servers, and not even the password manager can access them. Some may choose the old way of creating a hard copy record stored in a locked safe. But at some point that becomes unmanageable due to your growing volume of online accounts. 

Our current practice is to use a password manager (Proton Pass). We set a master pin for the password manager (6 digits) and put a paper copy with the pin # in a firebox along with other important documents, devices and media.

5. Make it memorable (or not). Using a unique but memorable username used to be a best practice recommendation. You’ll still find that advice on other sites, but we’re not sure we agree with this advice any longer. With the prevalence of password managers, remembering your usernames is less necessary. We now err on the side of creating unique usernames for each new account where it makes sense.

Conclusion

By following the above best practices, you can create a secure username that will help protect your online accounts and privacy from Bad Actors. And remember, you don’t have to be perfect, only better than a majority of the general public and your peer group. Adding just a little bit of friction when creating usernames is usually enough to deter Bad Actors and persuade them to move on to easier targets.

Note: next week will be our last post of 2023. We’ll pick back up on January 4.

Thanks for reading Secrets of Privacy! Subscribe for free to receive new posts and support our work. Or share this post with a friend, family member or colleague.

Privacy Boosting Services To Consider

• Proton is running a limited time promotion right now on their core offerings like Proton VPN and Proton Mail. Up to 60% off select packages for our community.

• Worried about a Bad Actor using your personal information from a data broker or people search site but don’t know what to do about it? Privacy Bee will start removing your data immediately and save you hours of time by doing all of the work for you. Start making yourself a harder target today by signing up here.