securitydirectoryprivacyrisk-analysis

Is sharing your C:/Users name a security risk?


I was wanting to show a video of my python code working to someone but in this video I need to show my folders. C:\Users\etc\etc. Is giving the users bit a risk (obviously it's my windows name in place of 'users') because I often see tutorials blocking this name.


Solution

  • Short answer, yes it is a security risk, you are telling someone the username for your system. However, the better question is, should you go to the effort of hiding it based on the security risk?

    Unfortunately this question is much harder to answer with a simple yes / no answer and depends a lot on your personal (and your organisations) attitude to risk.

    If someone is trying to hack into their system having valid credentials for the system is obviously a good way to go, hence the amount of effort that goes into phishing style e-mails, websites etc. By showing your username you have given the attacker half the things they need (assuming no MFA etc.).

    That being said often usernames are often very easy to guess. Built in accounts e.g. Administrator in Windows and root in Linux have been targets in the past, although they are better protected from Network logins these days. In corporate environments, usernames are often e-mail addresses or the user part of the address (the bit before the @ symbol).

    As well as considering how available your username is in the public domain already you need to consider where is the video going to be shared. For example if you are in a corporate environment where usernames are firstname.lastname and this video is only going to be shared on the company intranet. Well, quite honestly, anyone with access to the video can guess your username.

    Based on the hints above you can make your mind up about whether or not you need to hide your username. Let's look at this from another angle, how hard is it to hide the username. Assuming that your demonstration works just as well from any directory on your computer, why not put everything you need in C:\temp and then there is no need to show a path with your username in?

    In summary, the choice is yours and I hope you this gives you a guide to how to consider the risks and make an informed choice. Personally (sorry SO rule followers, I will give a quick opinion here) I would avoid showing it as generally it is easy to build a video from a temp directory rather than one off C:\Users\<username> equally when using a Linux system I don't lose any sleep over the fact that the prompt shows my username.