It’s only January, but the recent hack of U.S. edtech giant PowerSchool has the potential to be one of the biggest breaches of the year.
PowerSchool, which provides K-12 software to more than 18,000 schools to support some 60 million students in the United States, confirmed the breach in early January. The California-based company, which Bain Capital acquired for $5.6 billion in 2024, said at the time that hackers used compromised credentials to breach its customer support portal, allowing further access to the company’s school information system, PowerSchool SIS, which schools use to manage student records, grades, attendance, and enrollment.
“On December 28, 2024, we became aware of a potential cybersecurity incident involving unauthorized access to certain PowerSchool SIS information through one of our community-focused customer portals, PowerSource,” PowerSchool spokesperson Beth Keebler told TechCrunch.
PowerSchool has been open about certain aspects of the breach. Keebler told TechCrunch that the PowerSource portal, for example, did not support MFA at the time of the incident, while PowerSchool did. But a number of important questions remain unanswered.
Advertisement
This week, TechCrunch sent PowerSchool a list of outstanding questions about the incident, which has the potential to impact millions of students in the U.S. Keebler declined to answer our questions, saying that all updates related to the breach would be posted on the company’s SIS incident page, which hasn’t been updated since January 17.
PowerSchool told customers it would share an incident report from cybersecurity firm CrowdStrike, which the company hired to investigate the breach, on January 17. But several sources who work at schools impacted by the breach told TechCrunch that they have yet to receive it.
Here are some of the questions that remain unanswered.
Advertisement
It’s not known how many schools, or students, are affected
TechCrunch has heard from schools affected by the PowerSchool breach that the impact could be “massive.” However, PowerSchool’s incident page makes no mention of the scale of the breach, and the company has repeatedly declined to say how many schools and individuals are affected.
In a statement sent to TechCrunch last week, Keebler said PowerSchool had “identified the schools and districts whose data was involved in this incident,” but would not be sharing the names of those involved.
However, communications from impacted school districts give a general idea of the size of the breach. The Toronto District School Board (TDSB), Canada’s largest school board that serves approximately 240,000 students each year, said this week that hackers may have accessed some 40 years’ worth of student data. Similarly, California’s Menlo Park City School District confirmed that hackers accessed information on all current students and staff — which respectively number around 2,700 students and 400 staff — as well as students and staff dating back to the start of the 2009-10 school year.
Advertisement
The scale of the data theft is also unknown. PowerSchool also hasn’t said how much data was accessed during the cyberattack, but in a communication shared with its customers earlier this month, seen by TechCrunch, the company confirmed that hackers stole “sensitive personal information” on students and teachers, including some students’ Social Security numbers, grades, demographics, and medical information. TechCrunch has also heard from multiple schools affected by the incident that “all” of their historical student and teacher data was accessed.
One person who works at an affected school district told TechCrunch that the stolen data includes highly sensitive student data, including information about parental access rights to their children, including restraining orders, and information about when certain students need to take their medications.
PowerSchool hasn’t said how much it paid the hackers responsible for the breach
PowerSchool told TechCrunch that the organization had taken “appropriate steps” to prevent the stolen data from being published. In the communication shared with customers, the company confirmed that it worked with a cyber-extortion incident response company to negotiate with the threat actors responsible for the breach.
Advertisement
This all but confirms that PowerSchool paid a ransom to the attackers that breached its systems. However, when asked by TechCrunch, the company refused to say how much it paid, nor how much the hackers demanded.
We don’t know what evidence PowerSchool received that the stolen data has been deleted
In a statement shared with TechCrunch earlier this month, PowerSchool’s Keebler said the organization “does not anticipate the data being shared or made public” and that it “believes the data has been deleted without any further replication or dissemination.”
However, the company has repeatedly declined to say what evidence it has received to suggest that the stolen data had been deleted. Early reports said the company received video proof, but PowerSchool wouldn’t confirm or deny when asked by TechCrunch.
One of the biggest unknowns about the PowerSchool cyberattack is who was responsible. The company has been in communication with the hackers but has refused to reveal their identities. CyberSteward, the Canadian incident response organization that PowerSchool worked with to negotiate, did not respond to TechCrunch’s questions.
Do you have more information about the PowerSchool data breach? We’d love to hear from you. From a non-work device, you can contact Carly Page securely on Signal at +44 1536 853968 or via email at carly.page@techcrunch.com.
Google Fiber’s next big expansion is underway in Las Vegas, Nevada. After first announcing the expansion last year, Google has confirmed that it has started construction in Las Vegas and Clark County where its fiber internet service will be available “later this year.”
GFiber, as it’s increasingly being branded, is currently available in select cities across 19 states, including California, North Carolina, Texas, Tennesee, and more. The company most recently lit up its services in Pocatello, Idaho; Logan, Utah; and Lakewood, Colorado, and it plans on bringing GFiber to Lawrence, Kansas as well. Like other fiber internet services, GFiber has symmetrical internet speeds, meaning the speeds for uploads and downloads are the same.
Google’s streamlined plans offer three options instead of four.Image: Google
On Wednesday, Google also confirmed that it’s piloting simplified, “lifestyle-based” plans in Alabama and Tennesee, which were first spotted last month. The new $70 / month Core 1 Gig, $100 / month Home 3 Gig, and $150 / month Edge 8 Gig plans replace the 1 Gig, 2 Gig, 5 Gig, and 8 Gig plans that GFiber widely offers.
Advertisement
These new plans are also launching in all of the locations where GFiber is currently available in Arizona and North Carolina, GFiber spokesperson Sunny Gettinger tells The Verge. They’re coming to most of GFiber’s remaining cities within the next month, too.
On Tuesday, a day after Donald Trump’s inauguration as the new U.S. president, the Department of Homeland Security told members of several advisory committees that they were effectively fired.
Among the committees impacted is the Cyber Security Review Board, or CSRB, according to sources familiar with the board who spoke to TechCrunch, as well as reporting by other newsoutlets. The CSRB was made up of both private sector and government cybersecurity experts.
One person familiar with the CSRB, who received the letter informing them that their membership in the CSRB was being terminated, criticized the decision.
“Shutting down all DHS advisory boards without consideration of the impact was horribly shortsighted,” the person, who asked to remain anonymous, told TechCrunch. “Stopping the CSRB review when China has ongoing cyber attacks into our critical infrastructure is a dangerous blunder. We need to learn from Salt Typhoon and protect ourselves better. The fact this isn’t a priority for Trump is telling.”
Advertisement
“You can’t stop what you don’t understand and the CSRB was arming us with understanding,” the person added.
Do you have more information about the Trump administration and its decisions and activities in the cybersecurity realm? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram and Keybase @lorenzofb, or email. You also can contact TechCrunch via SecureDrop.
CISA spokesperson Valerie Mongello referred TechCrunch’s request for comment to DHS, which did not respond to a request for comment.
“In alignment with the Department of Homeland Security’s (DHS) commitment to eliminating the misuse of resources and ensuring that DHS activities prioritize our national security, I am directing the termination of all current memberships on advisory committees within DHS, effective immediately,” read the letter sent to members of the CSRB.
Advertisement
Another person familiar with the matter pointed out that “it’s interesting that the rationale is ‘misuse of resources’ because all advisory board members get an excitingly rich salary of…$0.”
Katie Moussouris, a cybersecurity expert with more than two decades of experience, and a former member of the CSRB, told TechCrunch that “the people who serve as government advisors should be judged by skills and merit, not by political affiliation. I’m hopeful that these critical advisory board vacancies will be filled with the most qualified people without delay.”
Other DHS advisory committee members that are reportedly impacted by DHS’s decision are those dedicated to artificial intelligence, telecommunications, science and technology, and emergency preparedness.
The U.K. government has unveiled a set of digitisation plans within the public sector to save £45 billion each year in productivity. The headline announcement is “Humphrey,” a set of AI tools to speed up policy-making activities.
Most Humphrey tools summarise government data, including debates, meetings, policies, laws, and responses to consultations, so civil servants can search through it more quickly when making decisions. Before this, the collation of consultation responses was outsourced to contractors, costing the taxpayer £100,000 a pop.
Another plan is to establish a new team within the Department for Science, Technology, and Innovation that will be in charge of identifying how tech can be used to improve the efficiency of public services. Current systems result in the U.K. tax authority taking 100,000 phone calls daily and the driving licence agency processing 45,000 physical letters, making response times unnecessarily long.
This team will start by developing solutions to help people with disabilities or long-term illnesses more quickly access the services they need, such as financial support or healthcare. The tech will connect the relevant government departments or local authorities so individuals don’t have to be passed between up to 40 of them in a series of phone calls.
UK public services are plagued by legacy technology
European companies tend to specialise in mature technologies, meaning the region is often seen as technologically behind, particularly compared to the U.S. The U.K. is a top culprit, particularly in critical national infrastructure, which is difficult and expensive to update without downtime.
A government report published this week found that nearly half of public services, such as those offered by the NHS and local councils, cannot be accessed online. For example, registering a death must be done in person and, businesses must place a newspaper advert when they want to buy a lorry.
The report found that a quarter of all digital systems used by the central government are outdated, leading to high maintenance costs and a heightened risk of cyber attacks. NHS England alone saw 123 critical service outages last year, leading to missed appointments and disruptions relating to staff being forced to use paper-based systems.
Cybercrime disruption can have even more severe consequences. In June, a ransomware attack on pathology company Synnovis led to months of NHS disruption and, according to Bloomberg. This resulted in harm to dozens of patients, with long-term or permanent damage in at least two cases.
Advertisement
Government is dedicated to making the UK an AI leader, reaping economic growth
This announcement comes just a few days after the government’s “AI Opportunities Action Plan,” outlining the 50 ways it will build out the AI sector and turn the U.K. into a “world leader.” The strategy involves boosting public computing capacity twentyfold, creating a training data library, and building AI hubs in deindustrialised areas.
Last year, the U.K. signed an agreement committing to explore how AI can improve public services and boost economic growth, along with the other Group of Seven nations.
Science Secretary Peter Kyle said in a press release: “We will use technology to bear down hard to the nonsensical approach the public sector takes to sharing information and working together to help the people it serves. We will also end delays businesses face when they are applying for licenses or permits, when they just want to get on with the task in hand – growth.”
Advertisement
A “Digital Commercial Centre of Excellence” will also be forged as part of the overhaul, which will look at how public sector firms can invest in U.K. tech startups and scaleups, simultaneously boosting their efficiency and creating jobs.
As we begin our venture into a brand new month all the best streaming services, most recently Max, are dropping their February 2025 schedules one after the other. Last month, Max welcomed its first wave of 2025 titles, which included some of the best Max movies, from A Star is Born (2018) to The Imitation Game (2014). This month, the streaming service looks to be continuing its run of highly-rated additions.
It’s always a treat to see what new Max movies and shows are headed to Max each month, especially since it’s one of the few platforms that have a jam-packed first day of titles (there are 80 new additions being added on February 1 alone). And in addition to the slew of movies on day one, one of the most-awaited TV renewals – The White Lotus season 3 – will finally be here on February 16.
So whether you’re a fan of movie franchises, book-to-film adaptations, or a sucker for silver screen classics, Max is the only place you need to go to stream all of your favorite titles in February 2025.
Everything new on Max in February 2025
Arriving on February 1
Advertisement
42 (movie) Accidentally Brave (movie) Bad Boys (movie) Bad Boys II (movie) Brian Banks (movie) Cabin in the Sky (movie) Cleats & Convos with Deebo Samuel episode 114 (TV show) Crouching Tiger, Hidden Dragon (movie) Deepwater Horizon (movie) Dr. Jekyll and Mr. Hyde (movie) Dredd (movie) Duplicity (movie) Entertainment (movie) Experimenter (movie) Final Destination (movie) Final Destination 2 (movie) Final Destination 3 (movie) Final Destination 5 (movie) Ivanhoe (movie) Jackie (movie) Jezebel (movie) Jupiter’s Darling (movie) Just Mercy (movie) King Solomon’s Mines (movie) Kitty Foyle (movie) Kusama: Infinity (movie) Lady Be Good (movie) Lassie Come Home (movie) Life Partners (movie) Lili (movie) Little Women (movie) Love & Basketball (movie) Mad Money (movie) Malcolm X (movie) Mary of Scotland (movie) Massacre (movie) Mechanic: Resurrection (movie) Mildred Pierce (movie) Mister Roberts (movie) Mr. Church (movie) Mrs. Miniver (movie) Neptune’s Daughter (movie) Noma: My Perfect Storm (movie) One Way Passage (movie) Safe in Hell (movie) Shadow on the Wall (movie) Skate Kitchen (movie) Skiptrace (movie) Sleepwalking (movie) Speed (movie) Story of Louis Pasteur (movie) Support the Girls (movie) Take Out (movie) Taxi Driver (movie) The Bank Job (movie) The Color Purple (movie) The Conjuring (movie) The Guilty (movie) The Harvey Girls (movie) The Host (movie) The Last Circus (movie) The Last Days on Mars (movie) The Last Time I Saw Paris (movie) The Life of Emile Zola (movie) The Lost Patrol (movie) The Notebook (movie) The Picture of Dorian Gray (movie) The Search (movie) The Tall Target (movie) The Wave (movie) The Window (movie) The Woman in Red (movie) They Were Expendable (movie) Thirty Seconds Over Tokyo (movie) Traitor (movie) Unknown (movie) Vacation from Marriage (movie) Waitress (movie) Watch on the Rhine (movie) We Are the Best! (movie)
Arriving on February 2
The Edge with Micah Parsons episode 122 (TV show) We Baby Bears season 2C (TV show)
Arriving on February 3
Advertisement
90 Day Fiancé Pillow Talk: Before the 90 Days season 7 (TV show) Common Side Effects season 1 (TV show) Dog Detectives season 1 (TV show) Very Scary Lovers (TV show)
Arriving on February 4
Sign up for breaking news, reviews, opinion, top tech deals, and more.
Celebrity IOU season 9 (TV show) The Whole Story with Anderson Cooper season 3 (TV show)
Advertisement
Arriving on February 6
Destinations of the Damned with Zak Bagans season 1B (TV show) Izzy Does It season 1 (TV show) The Takedown: American Aryans (TV show)
Arriving on February 7
Lu & The Bally Bunch season 1A (TV show) How I Left the Opus Dei (El Minuto Heroico: Yo También Dejé El Opus Dei) (TV show) We Live in Time (movie)
Advertisement
Arriving on February 8
Luther Vandross: Never Too Much (movie)
Arriving on February 9
Puppy Bowl XXI Kickoff (TV show) Puppy Bowl XXI (TV show)
Advertisement
Arriving on February 11
Central Intelligence (movie) Central Intelligence: Extended Edition (movie) Father Stu (movie)
Arriving on February 12
Guy’s Grocery Games season 37 (TV show)
Advertisement
Arriving on February 13
Home Sweet Rome season 1B (TV show)
Arriving on February 14
Silly Sundays season 1A (TV show) Waitress: The Musical (movie)
Advertisement
Arriving on February 16
Have I Got News for You season 2 (TV show) Last Week Tonight with John Oliver season 12 (TV show) Love & Marriage: Huntsville season 9 (TV show) Pearl: The X-Traordinary Origin Story (movie) The White Lotus season 3 (TV show)
Arriving on February 17
90 Day Fiance season 11 (TV show) Evil Lives Here season 17 (TV show) Tournament of Champions: The Qualifiers (TV show) Watchmen: Chapter II (movie)
Advertisement
Arriving on February 18
We Beat The Dream Team (TV show)
Arriving on February 19
Exposed: Naked Crimes season 3 (TV show) Moonshiners: Master Distiller season 7A (TV show) Renovation Aloha season 2 (TV show)
Arriving on February 20
Advertisement
Bea’s Block season 1B (TV show)
Arriving on February 21
Elevation (movie)
Arriving on February 22
Advertisement
House Hunters Renovation season 18 (TV show)
Arriving on February 24
End of Watch (movie) Homestead Rescue season 12 (TV show)
Arriving on February 25
Advertisement
Eyes on the Prize III: We Who Believe in Freedom Cannot Rest (movie) Wipeout season 2B (TV show)
Arriving on February 27
Cóyotl: Hero and Beast (Cóyotl: Héroe y Bestia) season 1 (TV show)
Arriving on February 28
Advertisement
Christina on the Coast season 6B (TV show) Morbius (movie) Toad and Friends season 1A (TV show)
To put on the Lingo, you unwrap it and place the carton in the dispenser. Clicking the dispenser on your arm, which sends the filament under your skin, stings only faintly. It feels like getting flicked with a finger. It is way less painful than pricking your finger with a needle until you bleed, many times a day, and I was an idiot and should have done this before.
The sensor itself is fine. I don’t feel it most of the time, unless I change my clothes with much vigor and abandon, in which case I do have to be careful. You can pick where you put the sensor; most people pick their non-dominant arm. It’s water-resistant, so you can swim and shower with it, and you don’t have to charge it.
Once I had the sensor on, I opened the Lingo app, registered, and waved my phone next to it. Done! I was ready to start monitoring.
Advertisement
Sugar Rush
If you’ve never monitored your blood glucose continuously, you’re probably in for a few surprises. Eating in a way that makes sense to a glucose monitor does not always mean eating healthier, objectively. For example, consider a typical lunch for me, which is a bowl of homemade pureed carrot soup and whole wheat bread. Because carrots and bread are carbs, this spikes my blood sugar to an alarming extent. An ultra-processed protein peanut butter bar, however, barely moves my blood sugar at all, even though if you’re healthy, one is not necessarily better than the other.
If you reduce the number of carbs you consume, you will reach ketosis, which is when your body starts burning your body fat instead of your readily available blood glucose for energy, because you have none. This is different, and less dangerous, than getting ketosis as a diabetes complication, but I still hate it.
I put the Lingo on during CES, where I did make one alarming discovery—I was walking around way too much for the amount of food that I was eating, and I was going hypoglycemic during the night. I thought my sleep disturbances were just due to work, stress, and being away from my family, but no, I was totally bottoming out.
First revealed last December through a Chinese retailer, Sharge’s new 65W GaN charger is now available globally. As the name implies, the Retractable 65 features an integrated USB-C cable that fully retracts when not in use so you won’t be scrambling to find one when a device is about to die. It’s available in white or black for $39.90 and while it comes with US style folding prongs it can be ordered with EU and UK outlet adapters.
An additional USB-C port allows the charger to power two devices, although the maximum power output drops to 60W with both ports in use.Image: Sharge
The Retractable 65 can deliver up to a maximum of 65W of power with a single device connected, so you can use it to charge larger devices like laptops. In addition to the retractable USC-cable that’s just over 27 inches in length, the charger includes an additional USB-C port. Two devices can be charged simultaneously, but while Sharge hasn’t detailed how power is split between the two ports, the charger’s maximum output drops to 60W while both are in use.
The charger’s retracting mechanism is left visible through a transparent housing.Image: Sharge
Advertisement
The Retractable 65 joins a growing number of chargers and portable power solutions featuring retractable cables, thanks in part to most devices now supporting USB-C so companies like Sharge don’t have to accommodate several different charging ports.
The big question with this trend is how durable are the internal mechanisms used to retract integrated cables? As someone who likes to fidget with gadgets all day (and who broke the spring-loaded memory card eject mechanism on a Sony camera while fidgeting with it) I will undoubtedly be doing the same with chargers like this.
Will it survive someone mindlessly yanking out the cable and watching it go flying back into the charger all day like a tape measure? On its website Sharge claims the mechanism can survive “10,000+ stretch cycles” without breaking, but we’ve reached out to the company for more details about the charger’s durability — including if a broken retraction mechanism is covered under warranty — and will update this story when it responds.
U.S. government contractor Conduent, which provides technology to support services such as child support and food assistance, has confirmed that a recent outage was caused by a cybersecurity incident.
Conduent confirmed the disruption, which left some U.S. residents without access to support payments, to TechCrunch on Tuesday but declined to say whether the outage was related to a compromise of its systems.
In an updated statement sent to TechCrunch on Wednesday, Conduent spokesperson Sean Collins confirmed that the disruption was due to a “due to a cybersecurity incident”, the nature of which was not confirmed.
“This incident was contained and all systems have been restored,” Collins said. “Maintaining system integrity and functionality is as important to us as it is to our clients.”
Advertisement
Collins declined to share any further details about the incident, including whether the company was aware of any data exfiltration.
Reffitt has spent most of the last four years in hiding, constantly on the move every few months. He was the person who tipped off the FBI about his father’s involvement in the insurrection. Jackson’s father, Guy Reffitt, was a member of the Texas Three Percenter group when he stormed the Capitol wearing body armor and carrying a pistol and zip ties. He was caught on camera urging other rioters to storm the Capitol building and told members of his militia group that he intended to drag House Speaker Nancy Pelosi out of the building by her ankles, “with her head hitting every step on the way down.”
“Trump himself has given him a presidential pardon to let him be free. That validation is a once-in-a-lifetime kind of experience that he’s never going to get again,” Reffitt tells WIRED. “I can’t imagine what he’s going to be willing to do now. It could get a whole hell of a lot worse.”
Reffitt is “terrified” about what is going to happen next, and has armed himself with a handgun and a rifle to protect himself and his boyfriend. Over the last few years, he has been targeted, harassed and threatened online.
Advertisement
Since Trump pardoned everyone, the threats are becoming even more intense.
“[In the last 24 hours] it’s gotten worse than ever,” Reffitt tells WIRED. “I think just because, yet again, the validation that Trump is bringing is just making people a whole lot more emboldened to just say some vile, disgusting shit.”
Reffitt is not the only family member of a released January 6 prisoner who is concerned about the fallout from Trump’s blanket pardons. Tasha Adams, the ex-wife of Oath Keeper leader Stewart Rhodes who had his 22-year sentence for seditious conspiracy commuted by Trump, is also worried about what might happen. “Stewart is out of prison now and, frankly, I could really use a bit of a run fund, in case it comes to that,” Adams wrote on her GoFundMe page on Tuesday, hours after her ex-husband was released from prison.
The investigation into the January 6, 2021 attack on the Capitol became the biggest in Justice Department history, and left many far-right militia groups in the country in ruins. But with a single pen stroke on Monday night, Trump has reinvigorated the militia movement, freeing their most prominent figures, including Rhodes and Proud Boy leader Enrique Tarrio.
Advertisement
“One of things I’m most concerned about is the risk of groups that were decimated after J6 coming back stronger, especially since many of them had their sentences commuted or were outright pardoned,” says Luke Baumgartner, a research fellow at George Washington University’s Program on Extremism. “I wouldn’t be shocked if the Oath Keepers began making more appearances, and seeing the Proud Boys accelerate their culture war tactics, especially against the LGBTQ community, like we’ve seen before. Their leaders are free, they have a lot to catch up on, and they are likely feeling vindicated.”
Got a Tip?
Are you a family member of a January 6 prisoner who is being released? We’d like to hear from you. Using a nonwork phone or computer, contact David Gilbert at david.gilbert@wired.com or securely on Signal on DavidGilbert.01
Guy Reffitt was the first rioter to go on trial for his actions on January 6 and initially received a sentence of seven years and three months, which was reduced by seven months in December after a Supreme Court ruling that led to the dismissal of an obstruction charge against him.
Advertisement
“I’m a very strong Patriot, with fabulous support from Patriot Warriors, as we navigate troubled waters,” Reffitt wrote to one acquaintance from jail in a text message submitted by the prosecution at his December resentencing.
A plan to build a system of data centers for artificial intelligence has been revealed in a White House press conference, with Masayoshi Son, Sam Altman, and Larry Ellison joining Donald Trump to announce The Stargate Project. Their companies, Softbank, OpenAI, and Oracle (respectively), along with MGX are listed as “initial equity funders” for $500 billion in investments over the next four years, “building new AI infrastructure for OpenAI in the United States.”
According to a statement from OpenAI, “Arm, Microsoft, NVIDIA, Oracle, and OpenAI” are the initial tech partners, with a buildout “currently underway” starting in Texas as other sites across the country are evaluated. It also says that “Oracle, NVIDIA, and OpenAI will closely collaborate to build and operate this computing system.”
When it comes to protecting yourself online, having a secure password has been the default recommendation. However, you may be surprised to know that having a secure username is just as important as using a strong password.
Serving as your identity online, usernames are prized assets for hackers to acquire. Even if they’re not as coveted as your passwords, they can be used to get hold of your online data. In this sense, it’s essential to craft a unique and safe username that will keep your accounts away from threat actors and prying eyes.
In this article, we discuss what a username is, why it’s important to have a unique and secure username, and some tips and tricks to get there.
A username is a group of characters that serve as your identity for an account or service, either in a computer system or on the internet. They’re also called login names, user IDs, login IDs, and account names.
As identifiers, usernames help distinguish and set you apart from other people or accounts. This is in contrast to passwords, which are used to authenticate or verify that you are who you say you are when logging into an account.
Below is a quick description of both and their main difference:
Advertisement
Usernames: Identifies who you are, either in a computer, a network, an online service, or an application.
Passwords: Authenticates or confirms that you are who you claim to be, enabling you access to an account after it’s correctly provided.
These days, most online sites, social media networks, games, and applications require a username before you can continue using their service. Some websites allow you to use your email address as a username, but that isn’t always the case and, at times, isn’t the recommended practice.
While it seems like a no-brainer to have a strong password, having an equally secure username is crucial for these reasons:
They’re often included in data leaks and breaches
In a massive data breach, a hacker aims to get as much information on you as possible. This means they not only target passwords but also eye your phone number, address, email, and of course, your username.
Since usernames and passwords go hand-in-hand, a hacker having your username technically means they have 50% of your login credentials. This makes it significantly easier for cybercriminals to use strategies like brute force attacks or credential stuffing, i.e., a high-powered form of trial and error, to try and steal your account.
Advertisement
Usernames are public information
It’s essential to remember that most usernames are available to the public because they act as identifiers. Think about your business’ LinkedIn account, your Amazon account, or even your personal username for gaming. All of these can be viewed by both you, other people, and hackers alike. In this regard, they don’t have the same type of security as passwords regarding private information.
With this, I strongly recommend creating unique usernames for each account you have. Why? Let’s say you regularly use one username for many of your accounts — including your email address. Here, hackers can use your public username to track down all your other accounts. This leaves you highly susceptible to social engineering tactics, scams, or phishing attempts.
They can help build your anonymity online
While usernames are public, they don’t necessarily have to include your full name. In this regard, having a secure username can be a great way for you to strengthen your online privacy. If you do it right, no one technically knows which username is tied to your account. This allows you to browse the internet without worrying about others looking into what you’re doing online.
Another way usernames can help strengthen privacy is by using them to separate your work and personal life online. Like the example above, you can use a completely different username for your personal accounts. This allows you to keep your personal feed private and maintain your business account at the same time.
Advertisement
How do I create a secure username?
Fortunately, creating a secure username can be a straightforward process, provided you follow some key steps. Here’s what I recommend:
1. Avoid including your full name, address, or other personal information
Most accounts, except work accounts perhaps, won’t require you to use your full name — and for good reason. Having your name in your username will make it much easier for hackers to identify you and subsequently find your other accounts.
For example, if both your name is John Doe and you have “JohnDoe” as your Amazon account, it would be a breeze for cybercriminals to put two and two together and conclude that this Amazon username is yours.
Similarly, any personally identifiable information also shouldn’t be in your username, as you’re inadvertently giving hackers more data to work with to hack your account.
Advertisement
Here’s a list of data you should definitely avoid including in your username:
Date of birth.
Address.
Email address.
Phone number/s.
ID numbers or PINs.
Social security number.
Your hometown.
Remember, since usernames are public info, hackers have the same access to them as you do. If you include something like your home address in your username, a savvy hacker can use it to their advantage and possibly target you.
Hackers can also use any personal info you have in your username to answer security questions. These questions are safeguards placed in most online services that help authenticate your identity and allow you to retrieve or reset your password when needed.
To illustrate, let’s say your username is JohnDoeAug11. In this instance, a hacker can assume that “Aug11” is your date of birth. In theory, this means the hacker now has both your name and your birthday.
If you have an online account, that has a security question asking what your birthday is, they would now be able to unlock your account or login credentials without you knowing.
Advertisement
2. Don’t reuse usernames for other accounts
It’s worth emphasizing that you should avoid reusing usernames when creating a new account. Using a new, unique username every time you make a new account drastically reduces the likelihood of your accounts being hacked.
While this can be inconvenient, I do think the additional layer of security you provide your accounts with this practice is very much worth it.
In addition, I also discourage merely revising old usernames or slightly modifying them. Why so? Let’s take for example, having the username “techrepublic1.”
If we change it to something like “techrepublic2,” this still leaves you at great risk of being compromised since hackers can readily sift through different variations of your username when they try to acquire your credentials.
Advertisement
Steering clear of repeating used login details is the same practice recommended when creating a new password. If you’re curious about how to have a strong password, check out our How to Create a Secure Password guide.
3. Make it memorable for you but hard to guess for everyone else
Now that we’ve gone through some things not to do, let’s see how we can actually create a unique username from scratch. Since usernames can be anything under the sun, one way to do it is to use a combination of words that mean something to you and only you.
I strongly suggest mixing words or phrases that mean something to you but can be hard for anyone else to guess. Here are some ideas to think of when creating your unique username:
Your hobbies or interests.
Your characteristics or personality.
Your favorite items.
Old nicknames or pet names.
Favorite movies, games, or TV shows.
Let’s say your favorite animal is a dolphin, and you’re quite fond of pizza. For you, maybe “pizzadolphin37” as a username is a good pick.
It’s also encouraged to add in random characters, like symbols or numbers, at your discretion. Just make sure you’re able to remember it well.
Advertisement
4. Ensure your username and password are unrelated
Another thing to remember is to ensure your username and password are two completely unrelated words. While this may seem obvious, having a username-password combo that connects somehow is a recipe for disaster.
Below is an example of login credentials that relate to each other:
Username: RosesAreRed.
Password: VioletsAreBlue.
Even if having related login details helps remember them, it’s important to acknowledge that both hackers and their tools have evolved. Such a combination would not be difficult to crack for hackers and threat actors, much less more experienced ones at that.
5. Use a random username generator
Finally, you can also use online username generators that will automatically create a username for you. Many of these username generators let you set specific parameters for your username, such as how many characters it has, what type of words are used if it’s random text or an actual phrase, and the like.
Below are some online username generators I’ve seen that provide a fair amount of options and settings you can tweak to get your desired username:
Advertisement
A handful of password managers also have username generators you can use, such as 1Password and Bitwarden. I’ll be listing these password managers, and more details about them are below to better understand which ones to go for.
6. Have a secure way to store them, such as via a password manager
As we’ve touched on them, password managers can be worthwhile investments in storing and securing unique usernames. Aside from storing passwords, password managers are also designed to automatically store all the usernames you use for each account. This means you won’t have to think about remembering all your usernames, as the password manager does for you.
Most modern password managers also include autofill capabilities, which removes the hassle of remembering the specific username and password for each account. With autofill, password managers will automatically populate the login form fields for you.
Password managers with username generators
If you’re interested in trying out a password manager service, here are three that I find are worth checking out.
Advertisement
Fortunately, all three password managers below offer a username generator either within the app or via their official website, so you’ll have no trouble creating a unique username with any of them.
Free version with unlimited password storage and unlimited devices
Polished and intuitive user interface with travel mode capabilities
Modern XChaCha20 encryption, refined UI, and flexible subscription options
Bitwarden
Image: Bitwarden
If you’re looking for a fully free password manager, Bitwarden is one of the best. Its free plan provides unlimited password storage, which is a big plus considering other free password managers impose a cap on how many passwords can be stored. Bitwarden Free also enables access to an unlimited number of devices, letting you access your encrypted vault from any device. Privacy enthusiasts also appreciate Bitwarden for being open-source and having a strong portfolio of third-party audits.
For users that prioritize having a streamlined user experience, I recommend 1Password. Its desktop application and browser extension both have polished designs, making it easy to manage numerous passwords and accounts. On the security side, 1Password employs a zero-knowledge approach, ensuring all your sensitive credentials are only accessible to you alone. 1Password accounts are also end-to-end encrypted and use AES-256 encryption, the gold standard encryption algorithm in the industry today.
If you’re a fan of NordVPN and looking for a companion password manager, NordPass should be on your radar. As Nord Security’s take on password management, NordPass takes a lot of cues from their popular VPN in providing a strong balance between having a clean UI without sacrificing overall security. It uses the “future-proof” XChaCha20 encryption algorithm; offers a refined and modern-looking desktop app; and provides a reasonable amount of multifactor authentication methods as well. I personally appreciate its subscription options, having both a free version and either an annual or two-year paid plan.
You must be logged in to post a comment Login