admin account naming ?
Posted by Spiritual_Cycle_3263@reddit | sysadmin | View on Reddit | 192 comments
For breakglass admin accounts for all your storage, idrac, webapps, what do you typically name these?
I suggested admin_XXX (random 3 characters) but got turned down. The team preferred to leave it as admin which I think is a bad idea. Especially for public webapps where admin is highly used to run dictionary attacks
CantaloupeCamper@reddit
It's named whatever the password is.
dontbethefatguy@reddit
CantaloupeCamper@reddit
No sir, Executive Vice President.
hurkwurk@reddit
and thats what i set the admin account name and passphrase to!
itishowitisanditbad@reddit
I commend you for having a password.
dontbethefatguy@reddit
It all makes sense now.
CantaloupeCamper@reddit
AND you don't have to waste time looking for the password jjohnson
Efficiency!
BadSausageFactory@reddit
legit not sure if you're being sarcastic, brilliant, or both
iceyone444@reddit
God
shanghailoz@reddit
So still admin, right?
Ok-Strike-8617@reddit
Password is TACO
CantaloupeCamper@reddit
https://youtu.be/KUY8gzJV3bo
chefnee@reddit
it’s because admin/admin is so hard to remember.
Clear_Key5135@reddit
well duh, that's because the password is also admin
Reverse_Quikeh@reddit
All accounts should be a variation of Rick.
Break glass should be BreakGlass_Rick
Domain admin should be Rick_C137
Funny admin should be Pickle_Rick
Then if you see a Rick_Prime you know 2 things
Bonus: user accounts should be Firsname.Lastname.Jerry
Spiritual_Cycle_3263@reddit (OP)
rick-james?
hurkwurk@reddit
only if the password is SLAP!
flyguydip@reddit
Only if I get to be ricky-bobby.
krajani786@reddit
Hacker that does nothing is Rick.rolled
ZPrimed@reddit
Passwords should involve "schwifty" somehow
itishowitisanditbad@reddit
None of the following was found in your password - plumbus, dinglebop, schleem, grumbo, fleeb, schlami, hizzard, blamf, chumble, ploobis.
Please try again.
ZPrimed@reddit
We would also accept things similar to "wuppu-wuppu-wups" or "nuppu-nuppu-nups"
(this is part of the nonsense stuff Rick dribbles out after coming up with the banger that was "Get Schwifty" but before "Head Bend Over")
germo20@reddit
Should the users of tech people be Firsname.Lastname.Morty ?
Reverse_Quikeh@reddit
.Morty is reserved for the help desk.
MrSh1V@reddit
Dummy account: Rick_dQw4w9WgXcQ
Sin_of_the_Dark@reddit
You forgot RickThe_DoorTechnician!
Live-Procedure-899@reddit
Anything but: admin or administrator. I find it wild that any sysadmin would still use those… might as well throw sysadmin onto that list too 😂. If targeted, it won’t really matter, but you’re avoiding the driveby opportunist that tries admin & administrator.
NowThatHappened@reddit
Well theoretically if the application has suitable brute force protection, then with a strong password it shouldn't matter, throw in 2FA for perfection. If on the other hand its something weaker, like idrac, iLO, etc then just don't put it anywhere near the dirty side. As always, limit at all costs the amount of critical functions exposed to the internet, idrac is certainly one, as would be virtualisation consoles, SAN, shells, etc.
Sasataf12@reddit
Not great advice, because you could say this about literally every security layer.
"If one layer is strong enough, the other layers shouldn't matter."
NowThatHappened@reddit
Pretty much everything is only one layer, no one has the time or patience for more. The advice is sound, if the one layer is STRONG and defended then it doesn’t matter. The rest is also sound, don’t put weak shit online.
Sasataf12@reddit
I think you need to leave this sub and join r/ShittySysadmin
NowThatHappened@reddit
I wasn’t aware that sub existed, thank you but I won’t be joining you there.
Sasataf12@reddit
I'm not the one saying only 1 layer of security is necessary 😂
NowThatHappened@reddit
Reddit, meta, twitter, Lloyds bank, curve card, google, Microsoft, yahoo, the list is endless.. username and password. What I said and I’ll have to say again because it’s not sinking in, is all those sites employ defences and brute forcing is impossible. You should use 2fa but in most cases it’s not mandated. Strong passwords will keep you secure with good infra.
Sasataf12@reddit
EXACTLY! That's what I've been saying this whole time - multiple layers of security. Can't believe it took you that long to realize that everyone does it.
NowThatHappened@reddit
I get it, English isn’t your first language, but if you re read my original comment, sentence by sentence then you’ll discover that’s exactly what I said. I don’t mind explaining it again and again if that helps, But since you didn’t ask the question or provide any useful input then I’ll leave it there.
Sasataf12@reddit
You never EVER said that. You said...
followed by...
So you literally said that if you have these 2 security layers, the rest don't matter. AND you proclaim no-one has the time and patience to not use default usernames (which is something you absolutely should do).
NowThatHappened@reddit
I’m sorry you don’t understand and I’m sorry you hijacked the OPs question with this relentless bullshit. Luckily it seems no one else cares.
Sasataf12@reddit
I agree, thankfully no-one seems care about your advice.
In future, don't comment about security when you have little to no knowledge about it. Gives the rest of us a bad name.
OgdruJahad@reddit
The fact you have to argue to not use admin as a username is very troubling to me.
flyguydip@reddit
FWIW, after looking at the last 4 years worth of data, the top 10 usernames that tried to log into my honeypot are as follows (1 being the most commonly used):
officeboy@reddit
Looks like administrator is back on the menu boys!
CptSpongeMaster@reddit
I knew just leaving it alone would play out well, everyone expects it to be changed
rassawyer@reddit
Administrooter
Rootistrater?
EdricStorm@reddit
Administrato! You can say it all fancy too. Aaad-ministratoooo
itishowitisanditbad@reddit
Number 2?
What am I missing? What uses enable as the username?
flyguydip@reddit
Cisco uses enable on switches, routers and firewalls to put the user in a privileged exec mode for sure that I know of. But that's all I know of.
itishowitisanditbad@reddit
Ahhhh I just never ever touch those. Networking is silo'd off entirely in my current role.
Makes total sense. Thank you very much!
tonyboy101@reddit
Open telnet sessions to network equipment without authentication enabled.
Smart_Dumb@reddit
That's why I name my admin accounts "not_admin".
itishowitisanditbad@reddit
I call admin accounts 'User' and user accounts 'Admin'
Good luck hackers
131313136@reddit
I'm really curious now, does your data show that the log in attempts follow Zipfs law? I.e. the second most common username has about 1/2 the attempts as the most common, third has 1/3, etc.
flyguydip@reddit
Unfortunately, in my configuration, I can't technically verify that. My current honeypot configuration has 3 public IP addresses NAT'd to one internal IP with varying ports made available to the public. As far as the logging system is concerned, one internal IP address logged all of the connections. This means that one attacker may be targeting what looks like an unsecured email system at one IP, and another might be targeting what looks like an unsecure web server at another, etc., so the data is a skewed from the get-go from what we would expect to see with Zipfs law. Also, attackers only get from 5 minutes to 9 minutes to attack the honeypot. They don't get to hammer away at it indefinitely because our firewall uses the data the honeypot collects to block traffic to all assets owned by my employer.
In the future, when adding more honeypots to the system, I'll likely add an individual honeypot for each IP so it should be possible to see if it matches up with the pattern. Since, at this very moment, I'm wrapping up the development of the API's to make that happen, I anticipate adding more honeypots on different ISP's to the system soon. Unfortunately though, the data still may be unable to correlate a pattern considering the short time window attackers have to hit the honeypot. For example, after watching attack patterns you can clearly see some attacks are automated choosing to attempt a login 10 times per minute, while others are 1000 times per minute. One is designed to evade firewall countermeasures while the other simply doesn't care. I assume the latter doesn't care because any security footprint not smart enough to block X number of failed logins per minute is probably more likely to be breached so if alarm bells don't go off in the initial probing, it's likely no one will notice the shenanigans they attempt later.
Using the current numbers and a bit of help from chatgpt, I've got the expected Zipfs frequency we should expect to see.
Word Actual Exp Ziff Difference
root 677,853 677,853 0
enable 576,932 338,926 +70.22%
shell 461,379 225,951 +4.19%
admin 228,929 169,463 +35.09%
default 80,896 135,571 -0.04%
user 47,088 112,976 -58.32%
guest 43,916 96,836 -54.64%
system 43,311 84,732 -48.88%
sh 28,833 75,317 -61.71%
support 24,460 67,785 -63.91%
I tried removing the first value to see if we get any closer, and this is what we get:
Word Actual Expected Difference
enable 576,932 576,932 0.00%
shell 461,379 288,466 +59.94%
admin 228,929 192,311 +19.04%
default 80,896 144,233 -43.91%
user 47,088 115,386 -59.19%
guest 43,916 96,155 -54.33%
system 43,311 82,419 -47.45%
sh 28,833 72,116 -60.02%
support 24,460 64,104 -61.84%
I suppose Ziff's law might be a great way to statistically show anomalous activity and might provide more accurate insights into what vulnerabilities attackers are looking for in the short term. I'm going to keep that in mind when building some of my reporting tools since my data sets are getting large enough that finding anomalous behavior can be a bit tricky nowadays.
DaylightAdmin@reddit
I thought "pi" would be on the list.
flyguydip@reddit
Yeah, I would have thought so too, but it looks like the average is less than 10 logins a day with mostly the same passwords. Not even close to "Root" which has 677,818 login attempts since 8/14/2020. Keep in mind, those numbers would be much higher, but we export a list of attacker IP's to a text file every 5 minutes our firewall checks for a new list every 5 minutes. Once imported, the attackers can no longer attack any of our sites, including the honeypot. So they do get to hammer away for a little bit before they get completely locked out, but sometimes their attacks are scripted to attack only a few times before they get blocked.
The most common passwords for "Pi" in no particular order are:
5nWt3P-fF4WosQm5O
raspberry
pi
raspberryraspberry993311
-A variation of passwords starting at 123, walking up to 123456789.
Evil-Bosse@reddit
Feels like I'm out of the loop why 5nWt3P-fF4WosQm5O is that high on the list, what's it default password for?
PolishedCheese@reddit
It doesn't need to be a default, it's probably a leaked password from a data breach
Evil-Bosse@reddit
Might be, but I find it interesting to be among the most common ones, like the default ones, or the 123456 ones. Since it was the only one that seemed like a proper password by miles compared to the others.
At least if the attempts come from multiple sources
Sintek@reddit
Shit "administrator" is not even in the top 20 (it is 30th)
Or "rootuser" doesn't even make top 100
DragonspeedTheB@reddit
No “ftp” “ftpuser”?
ontheroadtonull@reddit
That is just baby town frolics.
OgdruJahad@reddit
Oh dear I use support but I add randomunbers afterwards for identification.
coukou76@reddit
Why? It's security 101 to remove/not use default accounts. Default accounts are the main target of automated attack
OgdruJahad@reddit
Exactly, so when we have to argue with someone to change the defaults and we get pushback it just shows how little they understand and/or respect computer security.
coukou76@reddit
Oh shit I thought you did not agree with OP regarding this, my bad!
OgdruJahad@reddit
Not only do I agree I'm so pissed when I find easy to guess password like the ones for WIFI Direct on Printers😠
flyguydip@reddit
I've got a Honeypot that shows the top 10 usernames attackers tried to use to get in were all default usernames... so those would be the first to get locked out. Anyone willing to risk getting locked out of all critical systems might want to keep their resume updated. Lol
margirtakk@reddit
~~keep their resume updated~~
Go back to school
SmallBusinessITGuru@reddit
boogeraids_new_new_FINAL(3)-Admin
npsage@reddit
UN - OhShitOhShitOhShit
PW - PLEASELETTHISWORK1
HolyGonzo@reddit
Error: Password can't be any of your previous 10 passwords.
DelusionalSysAdmin@reddit
I prefer incorrect.
MasterBathingBear@reddit
PleaseLetThisWork10!
bridgetroll2@reddit
Good thing my password is:
Password can't be any of your previous 10 passwords
LeakyAssFire@reddit
My last place of employment used the names of dead U.S. presidents for that type of stuff.
pdp10@reddit
Okay, who Nixoned the VoIP backups?
miscdebris1123@reddit
Brody approves.
Johnny Utah does not.
Freehandgol@reddit
I'm so confused?? I think this post is from an end user??? I'm not sure why this is such a difficult thing? Why can't everyone have their own username with admin privileges to the things that they should be granted admin privileges to. Then make the admin password some crazy super long password that no one will be able to easily just type it in. Stop trying to outsmart yourself. KISS!!!!!
ColdHeat90@reddit
This is an incredible waste of resources in my opinion. If I have a team of 5 techs and 475 customers, I am absolutely not going to go into 475 customers and make 5 user accounts on any server or app these clients are using.
This is further compounded when adding or removing users and adding customers. It’s not scalable.
dartheagleeye@reddit
Since I keep all my passwords stored in a safe place…
I make accounts like this a random generated name and random password
Toubis@reddit
I use food names for example
Val Vita
Nancy Tollhouse
Peter Primavera
Sal Hlab
perthguppy@reddit
The password is what you need to protect. Doing random strings in usernames is pointless and borderline security through obscurity.
If someone is able to brute your password, make a longer password. If someone finds a password bypass, either patch your shit, or they are more likely to find an auth bypass.
Our admin account naming scheme is to use a standard well known format that includes either the persons name or initials and something to signify the access level, so reviewing logs is much easier.
walkasme@reddit
I always use some with a Z so appears at the end of user lists (hide from GAL)
ZuneSomething
or how about guest (least expecting user with the most permission) or really please don't
OinkyConfidence@reddit
Bible characters with first and last names
Paul Peter
Saul Tarsus
Goliath David
Esther Queen
Enough to blend into your user list without looking like a admin user
L0kitheliar@reddit
Owner for the owner level access (or ga_owner)
ga_username for general admin accounts
slugshead@reddit
Let your password manager decide that for you
Spiritual_Cycle_3263@reddit (OP)
Mine is stupid. it only suggests passwords.
radraze2kx@reddit
Use a password suggestion as a username, and a different password suggestion as a password.
Evil-Bosse@reddit
Or use the password as the username, and a common username as a password? No one is going to guess john.doe as the password if the username is 20 random characters
kKXQdyP5pjmu5dhtmMna@reddit
How'd you guess the password to this account???
theRealNilz02@reddit
r/beetlejuicing?
kKXQdyP5pjmu5dhtmMna@reddit
I'm an actual system administrator, so I read this sub a lot. Happy coincidence! :D
Sasataf12@reddit
Except the username is often stored in plain text.
Randomly generating the username and password is the most secure (and the most extreme).
xXxLinuxUserxXx@reddit
we do that for all ipmi interfaces as they are on seperate network without any possibilty to reach ldap etc.
anyway if you look at them it is more likly a hacker just uses any exploit to access ipmi than crack/bruteforce the credentials.
codecorax@reddit
ColonelPanic
Okayest_Employee@reddit
and his superior General Failure, and the lovely Major Outage
makazaru@reddit
I'm close friends with Private Meltdown
ylumys@reddit
adm-login
wrt-wtf-@reddit
Best practice is to rename, delete, or lock the admin account. If none of these set a maximum length password and complexity and hide the password deep. Different password on every system. Use an alternative account, as per your suggestion.
Also, if you can’t rename, lock, or delete the admin account you should have alerts triggered off your syslog or snmp stating the account has been used.
Xaphios@reddit
User specific admin accounts if possible. If not, then have a dummy user name - Jeff.Bezos for stuff in Azure, Bill.Gates for stuff in AWS, that kind of thing (don't actually use a name for a person connected to tech in any way even if it's funny - Doris.Jones is much better)
philixx93@reddit
For Breakglass Accounts I would suggest to use names that are not easy to guess and monitor all logins (and failed attempts!). Since they should never be used for daily business, this can be a good indicator to know that something is going on in your network.
Additionally you could use honeypot accounts with a more obvious naming scheme. Again with monitoring on all login attempts. Ultimately honeypot accounts are either very low privileged or disabled.
Darthvander83@reddit
Username: password Password: username
Password hint: uno reverse card
SiIverwolf@reddit
Or, use the name of someone memorable as the break glass and follow your normal naming conventions.
Ronald McDonald McDonaldR
"hide" the account amongst all your normal accounts, so it's much harder for any attacker to recognise as something important
JupiterB4Dawn@reddit
Trick question: doesn't matter, no one will remember it when the time come
leaflock7@reddit
the most worrisome is that your team dont want to change them.
all privileged accounts should be unique for each person (if possible) and have a distinct part that shows what is being used for, of course that depends on how much separation you want to achieve.
What I mean is that someone might have an admin account for their domain and another admin account for other services. others might go even further and have 3-4-5 or more depending on the services or level of criticality of the each one.
kyle6477@reddit
Admin might be referenced in the name but most of the time we take a "security-through-obscurity" approach.
It shouldn't be immediately guessable
Ad-1316@reddit
It's Karl with a K.
MasterBathingBear@reddit
KarlaK. I like your style.
anonymously_ashamed@reddit
Cark ?
joeyl5@reddit
That would be Mark
nefarious_bumpps@reddit
LeROY.JENKins
rcp9ty@reddit
Use Dino pass to make the username https://www.dinopass.com It comes up with some crazy passwords that make perfect usernames. Like one it suggested was Slimeyghost63 now the 63 means nothing to me but Norton Ghost used to be a great imaging tool and ghost busters came out in 84. So perhaps the break glass account for the backup system is SlimeyGhost84 and the password is Do-Ray-Egon or Ithoughtyousaiddon'tcrossthestreams
signalcc@reddit
We use Executive
cs4321_2000@reddit
Porn stars
Ezra611@reddit
All mine are named after TV characters.
Bimpster@reddit
Name Guest Admin and rename Administrator to something else. If your firm has an acronym use 3 letters to indicate your admins followed by acronym. Using your username as an example: SC3CONTOSO.
DisplacerBeastMode@reddit
I would name it something descriptive. What is the main function of the account? Veeam backup admin account? I'd call it veeamadmin or veeamsvc for a service account.
Just pick a naming convention like that -- I prioritize: easy to remember and self descriptive.
DestinyForNone@reddit
Typically, it's some combination of SITE_Admin Or SITE_ADM
protogenxl@reddit
Semprini
Im_In_IT@reddit
A- Y- SA- and so on. Gotta catch em all?
Practical-Alarm1763@reddit
BreakingBad@domain.com
Savings_Art5944@reddit
admin is a terrible idea.
Fist off, there is a Active Directory built in "service account" named admin. It will mess things up.
Second. There are countless other devices and services with hardcoded admin as the username accounts. It causes weird things to happen.
I know because I chased my own tail for years because I was guilty of doing it. It was my go-to for new client installs and even my own homelab before I figured it out.
hihcadore@reddit
Guess I’m the outlier. Since it’s a break glass it has the highest privilege and is excluded from restrictive polices. I use a name the owner will remember. Then write down the username / password, and have em lock it in the safe. In the chance all user accounts get enumerated I feel better if the break glass isn’t easily recognizable. Other admin accounts are the users lastname.adm or some variation like lastname.ladm for local etc.
PalmTreeCharli@reddit
I’m pretty sure one of our break glass accounts used to be named Ron Burgundy
RubAnADUB@reddit
Create a fake person but use some kind of realistic name. make sure you fill in all the information you usually do for other employees and give her a job title that is not in IT. "consultant" or janitor.
Spiritual_Cycle_3263@reddit (OP)
I did have a Luca as an Intern in AD. I may have told my disliked vendors that Luca is the decision maker.
OptimalCynic@reddit
He lives on the second tier
GullibleDetective@reddit
Security with obscurity isn't secure. It takes nothing to scan for priv accounts
So obfuscating the name only serves to stop the most junior tier 1 that wants to be a bad actor. Script kiddies have tools that automatically catch those
OptimalCynic@reddit
No, but it cuts down on log spam. Same reason I move ssh to 3022.
Spiritual_Cycle_3263@reddit (OP)
Nothing wrong with not using default admin names. It does help with bot attacks on the web.
Not sure how bots are going to scan for priv accounts since they don't have access to the db.
GullibleDetective@reddit
Nah nothing wrong with changing them to be fair, but relying it and thinkign it makes you safe just because you do that is an error.
Defense in depth should be employed always, but I'd rather spend my effort bringing facts to management to get MFA, SSH/SFTP, and pass phrases along with other nist best practices depending on your platform and other regulatory compliance requirements (PCI etc). than just admin names.
its_schmee@reddit
OhShit@domain.com
brads-1@reddit
muhamAD M INchle spells admin in the name, user name is minchle. Use your imagination with first names ending in "ad" middle initial "m" and last name starting with "in". Makes it totally unique for your environment.
OptimalCynic@reddit
Plus if someone screws up bad enough to need it, you can call him Mr Inchie in front of the office gossip
jpStormcrow@reddit
We salt all of our service/admin accounts with _x#### to mitigate brute forcing
PolishedCheese@reddit
And you use a password management system that rotates the passwords automatically, I assume?
jpStormcrow@reddit
Baby steps. We have laps on for local. Working towards auto rotation.
sryan2k1@reddit
Depending on the environment we do A-name for admin accounts and T-name for testing accounts, or account.admin/account.test
Jezbod@reddit
Ah yes! Use the default name so it is easier when they do brute force attacks...
We use a completely different naming convention for my M365 admin account and the break glass name is...something! I'll find out what it is if we need to use it - the info is on a piece of paper, sealed in an envelope with the disaster recover plan, in a fire safe.
malikto44@reddit
The ironic thing is that with a recent deployment, I used admin-whatever. I use
pwgen -B -n -v -A 8 1and paste that as a suffix. For example,admin-r9hxdbjs. This way, it is easy to tell the user is an admin user, and the eight characters after the user ensure that brute force isn't going to allow the user to be guessed easily.Even though this is security through obscurity, it is sort of like replacing a pin tumbler lock with a Medeco or Smartkey lock, so all the teeming hordes walking up with bump keys and jigglers will try it to no avail, even though a good lockpicker will have it open in short order.
This is the same reason why I recommend people who have unique user IDs on their WordPress or other servers have a privileged admin user that is a completely different ID, and their userID people recognize have the bare minimum of permissions, like posting, and that's it.
virtualadept@reddit
We use diceware to pick three words that become the ICOE usernames.
skier3284@reddit
All of our break glass accounts are the default admin accounts for the appliance (a majority of them cant be changed/disabled anyways) with a 24 character randomly generated password that is cycled annually.
We use delinea for managing this which works well as it tells you when the password needs to be cycled and when/who accessed the password for the accounts.
We also have monitoring in place to alert us via email whenever a break glass account is logged into.
That being said none of these admin consoles are available externally as per company policy. As an admin I would not be comfortable with having admin appliances/consoles available externally without 2FA.
Comfortable_Gap1656@reddit
You do realize that the usernames are are easy to find right? The actual authentication portion is what matters. Just don't use default usernames such as admin or root.
belgarion90@reddit
Should be named after your most annoying user.
I_COULD_say@reddit
Target_This_Account
SynapticStatic@reddit
I keep seeing people suggesting using cartoon/fictional names/etc.
Don't. Just don't do that. You can get away with shit like that in your homelab, or in small companies, but in the enterprise when you have hundreds or thousands of devices, just no.
1) Make sure your management ports are behind a firewall and only accessible by specific IPs/Ranges/A specified jump server.
2) All admin accounts should be manufacturer default with a strong password.
3) You should be using a centralized secure password vault. Not saved in a text file in a file share, not on a wiki.
4) All servers/devices should be named something meaningful.
It's fun in your homelab to name things "Captain_Sparklez" or whatever, but when you get into the real world, other people have to deal with this shit and having to tell upper management or c-level people "Oh, Captain_Sparklez went down" is just embarrassing and does nothing. And when you're pasting your funny comedy admin names while on a screenshare with 30+ people during a crisis, do you really want to log into "Captain_Sparklez" With "Pickled_Rick"? It didn't do anything for your security posture, your maintenance, etc, and now everyone gets to see your dumb, unintuitive, totally not serious naming schemes.
I'm not just pulling this out of my ass, my last job we had hundreds of hosts with tens of thousands of VMs, idracs, management interfaces, etc, etc. It's absolutely critical to come up with a standardized naming scheme for all this. You're not the only one managing this stuff, and at the end of the day it's the company's equipment, not ours. Our duty as sysadmins is to design, build, and maintain efficient and secure systems, and you simply can't do that naming things with cartoon/fantasty names. You've got to get serious.
crashtesterzoe@reddit
Name it a current employee so this way when they leave. You have someone to blame. “God dam it Dave not again” 😂
no_regerts_bob@reddit
HackMeFirst
ObviousTarget1,2,3 etc
miscdebris1123@reddit
Obscurity is a single layer in the onion of cybersecurity. It should not be the only one.
hkusp45css@reddit
It *is*, however, a viable layer.
Remember, the point of most security is to make the other potential victims look like easier targets, comparatively.
certifiedsysadmin@reddit
It only makes your environment more complicated. A complicated environment makes it harder for other team members to back you up when you're away.
Just name it breakglass-xxxx so it's obvious what it is. If you set up proper alerting and protect the account with a Yubikey, no one is getting in.
Sasataf12@reddit
Every security layer adds complexity to an environment. An obscure username is easily remedied with documentation.
hkusp45css@reddit
Complicated is really subjective term. With appropriate documentation, nothing is complicated just because it isn't labeled "breakglass-xxxx"
SnaxRacing@reddit
Yup, thought the same thing. I was like… we name it breakglassadmin, etc?
Ok_Explanation_4366@reddit
I prefer using their regular username and adding -la for local admin, or -ga for group based admin rights.
Ok_Explanation_4366@reddit
Vault the password behind MFA, and rotate the pw's on a regular basis using CyberArk if you wanna go over the top.
QuantumRiff@reddit
Our company has a three letter acronmy we use for our own name in code. so to help with dictionary accounts, we have
xyz_admin and
xyz_backup_admin
coffee_ape@reddit
Movie themed based. 3-4 orgs ago, we had a Star Wars senior sysadmin. Our servers were named based on jedis and siths, along with the admin account name associated with it.
Let’s take Kingdom Hearts for example.
Admin account for your boss: Yensid
Admin account for the young tech: Ven
Admin account for the cursing tech: Donald Duck.
joshghz@reddit
Is Admin_DonaldDuck the one who never healed any issues when you needed him to?
coffee_ape@reddit
No, he heals you, you just have to change his settings to use support magic: always.
scrumclunt@reddit
I used Greek gods for a while then moved on to just randomly generated nonsense stored in a password manager
Sylogz@reddit
8-30 random characters depending on the system, upper/lower case and numbers along with some special characters. All need to be able to be written in the console easily. We had a system that we never managed to insert login and password before the prompt reset. Took me way to long to memorize the username and password to be quick enough.
TechBitch@reddit
Previous company, we used Star Trek Captain names for the backup admin accounts.
discosoc@reddit
Breakglass accounts should be documented, so you don't really have to get all crazy with their names. Our normal admin conventions are something like role.username, where the role is the admin role itself and the username is their normal username. So if someone has a normal username of frank.smith, then he might have an server.frank.smith (for local server admin), or ad.frank.smith (for Active Directory Users), or helpdesk.frank.smith (for password resets), or entra.frank.smith, etc, etc.
For default device accounts (which are only used for breakglass purposes), we would replace the role with the SN, and the username portion with device name. So a router admin account might be something like E39RG40G212P.rt-06-nyc.
thatto@reddit
Early on in my career, we have mad Men who got into a fight with management and auditors about not using default usernames for admin. At one point management told them "I don't care what it is as long as it's not the default!"
His petty revenge was domain admins were pre-pended with 'pancakes_' local admins were 'waffles_'
This was the same dude who chose to use cartoon character names for his domain controllers. There was some uncomfortable conversations with management about the domain controller "Butthead" missing the latest updates.
Spiritual_Cycle_3263@reddit (OP)
I'll bring the syrup_
daze24@reddit
We name them after our wives
nerfblasters@reddit
"Hey anyone know what the hell this 'NextTuesday' admin account is for?"
Spiritual_Cycle_3263@reddit (OP)
Shhh... my ThursdayNight might get mad.
TheLexikitty@reddit
Abbreviations for Service or similar can be good. SER-ADDS, etc.
Spiritual_Cycle_3263@reddit (OP)
that was my second suggestion
dadgenes@reddit
Nothing I'm going to mention on the open internet.
Spiritual_Cycle_3263@reddit (OP)
if you share it in this comment, i'm almost certain no one will see it
chillzatl@reddit
I can only assume the "Team" you're referring to are a bunch of devs and web people in which case what they want isn't worth a drop of piss. They get told how things are and they accept or they find another job.
If this is management and/or other admin level people then you need to have a sit down with management and explain reality to them. There's a reason any half way decent device or app that ships with Admin as the default login forces you to change it or even better, doesn't allow you to use it in the first place.
Spiritual_Cycle_3263@reddit (OP)
20% are, yes
kidmock@reddit
Security is always a balancing act. You need to take into account usability and serviceability. One such factor that should be taken into account is how quickly you can bring new team members up to speed and the knowledge they bring with them on day one.
To this end, you need to do a proper threat model.
Leaving things a default as possible helps to get others up to speed and reduces reams of unnecessary documentation that no one ever reads or can find during a crisis.
That's not to say there's not a good reason to deviate from the default (there is). Without understanding your threat model, I couldn't say if this is a good idea or not. More broadly, I'd be more concerned about other account security parameters than username.
Spiritual_Cycle_3263@reddit (OP)
Most users have their own accounts. This is more of a break-glass or because we need a default admin and can't change the name later so we dont want to tie it to a specific person's name
Swimsuit-Area@reddit
This only pertains to personal projects, but I name all of my accounts “lavos”
chakalakasp@reddit
Best would be to use a mash the keyboard username or at least a few random diceware words. This isn’t an account you should worry about being annoyed at typing out becuase it should basically only be used in some kind of contingency
Mean_Git_@reddit
For important accounts we used long European beer names
Competitive_Smoke948@reddit
slap your team members. Even back in the day the God Admin account was moved to a Guest Account adn the Enterprise Admin was always names something completely different. Calling it admin IS a bad idea. Might as well make the password passw0rd, because obviously thats a good combo
TwilightKeystroker@reddit
Keep the admin accounts (cloud only, not licensed) to please the big dog then create new Break Glass accounts named BG1, BG2, etc.
Consistent_Memory758@reddit
Use the name of a actor, protagonist of a movie or other character.
Doublestack00@reddit
The_Blank_Admin
Change blank with something creative like Greatest, Baller etc.
223454@reddit
At home use a random character string whenever I can. I have a password manager, so that helps a lot. I also use random character strings for security questions. "Where were you born?" "ODFmn2049df"
ncc74656m@reddit
I just used a random name for the BG account that isn't associated with a user, nor does it contain "admin" in the name. Security through obscurity is still an added layer, no matter how small.
BadSausageFactory@reddit
Once, in my PFY days, I named all the admin accounts after characters in Dune. I also did not hide them from the GAL. I realized this error when someone asked me who Liet Kynes was. This was the early 90s when I don't think as many people knew those names. BTW Lynch version 100% because Sting.
ncc74656m@reddit
That's it, I'm naming my new BG account Sting's Plastic Underwear.
MetaVulture@reddit
Karl_Von_Frank_Earl_Hacknottz
eruffini@reddit
Your passwords should be strong enough to handle dictionary attacks, as well as implementing security to automatically ban IPs after so many attempts.
admlshake@reddit
LOL Nice try Putin.
ChicharonLover@reddit
RUSKIADMIN, access is blocked this time.