What is the point in using your username to log in?

SuperInfinity

Why not just have a strong password and no entering of a username, your username just comes up?

There is as little chance that someone will have the exact same properly chosen password as there is that they would have your username + password. Similarly, it would be just as secure, moreso in fact per keystroke.

Coriolanus

What would get displayed above "Registered User"?

starbelgrade

SuperInfinity wrote: »

Why not just have a strong password and no entering of a username, your username just comes up?

Let me guess... you're still using Internet Explorer.

Sinfonia

SuperInfinity wrote: »

Why not just have a strong password and no entering of a username, your username just comes up?

There is as little chance that someone will have the exact same properly chosen password as there is that they would have your username + password. Similarly, it would be just as secure, moreso in fact per keystroke.

Because two people could possibly use the same password. Pretty basic stuff.

KeithM89_old

SuperInfinity wrote: »

There is as little chance that someone will have the exact same properly chosen password ...

Well i hope no one else is using 'password' as their password....

SuperInfinity

Sinfonia wrote: »

Because two people could possibly use the same password. Pretty basic stuff.

But as I just stated, if the passwords are properly chosen then there would be as little chance of that happening as if two people had the exact same username + password.

SuperInfinity

Nevore wrote: »

What would get displayed above "Registered User"?

Your username still comes up, it's just contained within your password. Just like how you don't have to type what date you joined. I didn't answer this immediately because I didn't know what you meant.

Sinfonia

SuperInfinity wrote: »

But as I just stated, if the passwords are properly chosen then there would be as little chance of that happening as if two people had the exact same username + password.

Two people can't have the same username, and that's the point.
When registering, you will be told the username is unavailable if someone else has taken it.
If you were told that somebody was already using the password you've tried to set up an account with, then you could just log in under their account.

And to create suitably intricate passwords as you suggest, would be a pain for some people in terms of remembering it. UN/PW is easier and safer.

Guill

It's just to waste your time OP.

Coriolanus

SuperInfinity wrote: »

But as I just stated, if the passwords are properly chosen then there would be as little chance of that happening as if two people had the exact same username + password.

But since the Interweb Emancipation Act of 2001, people over the age of 35 have been using the internet. They don't understand things like "no, don't use your username as your password. Or the dogs name. No, mam, it's not a really good idea to use your credit card number either. Yes, I know random numbers and letters look hard, but you can write it down somewhere if you really need to. No, not on a piece of paper stuck to the monitor at your desk in the bank you work at."

Edit:

SuperInfinity wrote: »

Your username still comes up, it's just contained within your password. Just like how you don't have to type what date you joined. I didn't answer this immediately because I didn't know what you meant.

Yeah, I know. I was being facetious.

alwaysadub

Just leave yourself logged in.
Problem solved.

SuperInfinity

Sinfonia wrote: »

Two people can't have the same username, and that's the point.

lol, oh yeah. Ok I admit I forgot this. :rolleyes:

Okay what if the first five letters of your password had to be unique? But I still maintain it wouldn't happen anyway, a few more keystrokes and it would very fast be as unlikely as if you typed someone's username and were guessing the passwords.

Sinfonia wrote: »

When registering, you will be told the username is unavailable if someone else has taken it.
If you were told that somebody was already using the password you've tried to set up an account with, then you could just log in under their account.

And to create suitably intricate passwords as you suggest, would be a pain for some people in terms of remembering it. UN/PW is easier and safer.

I get tired of typing them in though. I'm not convinced it's easier (for a particular level of safety).

El Weirdo

SuperInfinity wrote: »

lol, oh yeah. Ok I admit I forgot this. :rolleyes:

Okay what if the first five letters of your password had to be unique?

I know, let's just leave it as it is, ok?

SuperInfinity wrote: »

I get tired of typing them in though. I'm not convinced it's easier.

What sort of 1990s browser are you using that doesn't have autofill for your usernames?

Sinfonia

SuperInfinity wrote: »

lol, oh yeah. Ok I admit I forgot this. :rolleyes:

Okay what if the first five letters of your password had to be unique?

XD I admire your obduracy my good man.

You should have chosen a shorter username :P

Pauleta

I think you should need a semen sample to log in

ejmaztec

SuperInfinity wrote: »

lol, oh yeah. Ok I admit I forgot this. :rolleyes:

Okay what if the first five letters of your password had to be unique? But I still maintain it wouldn't happen anyway, a few more keystrokes and it would very fast be as unlikely as if you typed someone's username and were guessing the passwords.



I get tired of typing them in though. I'm not convinced it's easier (for a particular level of safety).

You could always solve this by not logging in at all.:p

Sinfonia

Pauleta wrote: »

I think you should need a semen sample to log in

I would think semen samples are generally produced immediately before leaving a website :P

bleg

If you type your password in here it comes up as ********* to other users.

copacetic

Pauleta wrote: »

I think you should need a semen sample to log in

Whose?

ocallagh

Two important security features of a username:

With just one password, you will never be able to associate a failed login attempt with an account.
A username can safely be used as a unique identifier.

Sinfonia

bleg wrote: »

If you type your password in here it comes up as ********* to other users.

blegisabiggay6969 omfgz it works!!

KeithM89_old

bleg wrote: »

If you type your password in here it comes up as ********* to other users.

'erectileDysfunction'



Does it??
:pac:

Black Swan

Pauleta wrote: »

I think you should need a semen sample to log in

What if you have more than one b/f? Have multiple accounts?

Red Hand

Black Swan wrote: »

What if you have more than one b/f? Have multiple accounts?

And what if you were a heterosexual male and didn't have a boyfriend? Log in with an egg?

Sinfonia

Jeremiah 16:1 wrote: »

And what if you were a heterosexual male and didn't have a boyfriend? Log in with an egg?

Look down.

foxinsox

Nevore wrote: »

But since the Interweb Emancipation Act of 2001, people over the age of 35 have been using the internet. They don't understand things like "no, don't use your username as your password. Or the dogs name. No, mam, it's not a really good idea to use your credit card number either. Yes, I know random numbers and letters look hard, but you can write it down somewhere if you really need to. No, not on a piece of paper stuck to the monitor at your desk in the bank you work at."

But since the Internet was invented by people who are over 35 now, the Information Super Highway Emancipation Act of 1969, code III Sub. IV states that people under the age of 35 cannot make such vast generalisations as their generalisations may deem to be biased towards their experience only with their ma.

http://en.wikipedia.org/wiki/Timeline_of_popular_Internet_services

Gordon

SuperInfinity wrote: »

But as I just stated, if the passwords are properly chosen then there would be as little chance of that happening

Ah if only the world was perfect.

Liam Byrne

SuperInfinity wrote: »

But as I just stated, if the passwords are properly chosen then there would be as little chance of that happening as if two people had the exact same username + password.

You're dealing with the public....you can't rely on stuff like that.

OutlawPete

OP, if you were able to do that from tomorrow, then the password you would choose, would most likely have to be so complex (must contain ten charters, four digits and a ex girlfriend's phone number) that it would take you just as long to type it in, as it does now to type in both.

Knasher

SuperInfinity wrote: »

Okay what if the first five letters of your password had to be unique?

That's equivalent to putting a limit of 5 letters to user names. It's safe enough then but you haven't really saved anything by doing it and you have put an upper limit on the number of registered users.

Just to be exact, if you only allow letters and numbers you would be limiting yourself to 376992 users only. (and to take it a little further, boards passed that number in September last year)

red menace

“Before I broke into the IT racket,” Scott Simons writes, “I was a front-line Customer Service Rep. At the time, the procedure for logging into our service management system was a bit puzzling.”
“Like many organizations, your User ID was assigned by the company, but you had to choose your own password. But instead of having a screen to do that, you had to fill out a Password Request Form and fax it corporate headquarters. And then things got strange.
“There was a 50/50 chance that corporate would reject your password. There was no rhyme or reason, such as not having enough numeric characters, or anything like that. It was just a simple notice, sent back via fax: Your password was not created. Please choose a different password.
“Actually, their rejection messages weren’t always so simple. I decided to change my password one day to something more secure – two mixed-case passwords with numbers and special characters – but IT rejected it because they couldn’t read my handwriting. I typed out my secure password and then refaxed it. They responded that they changed my password... but not to what I picked: they just randomly chose some word, like frequency. Evidently they were tired of dealing with me.

“And then, one day, everything clicked. I became enlightened when I mistakenly typed in a password that I had unsuccessfully requested at one time in the past: instead of a invalid credentials message, I found myself logged in as a completely different user.
“A little testing (at other people’s workstations, just in case) confirmed my incredible suspicion: the User ID field on the login screen was a dummy. The login script looked only at the password field, comparing it to the list of passwords; if it matched, you were logged in as the user who owned that password, regardless of what User ID you had entered into the screen. The reason that passwords were sometimes rejected was simply that each user had to have a unique password for this ‘security’ scheme to work.
“I guess you could call it could call it fake one-factor authentication? Or half-factor authentication?
“After playing around a bit more, it was really easy to find some poorly-thought out passwords that belonged to users with much more powerful system permissions than mine. I believe one of them was a sales manager in Boston, who was apparently fond of kittens.
“I never chose to wreak any havoc with this knowledge – or even share this crazy scheme with my coworkers – but I’m glad I can finally tell someone about it today.

I also work in IT and I know people are using the most retarded passwords ever
My current password is touching 30 characters long, it sometimes takes me more than one attempt to get it right

SuperInfinity

Knasher wrote: »

That's equivalent to putting a limit of 5 letters to user names. It's safe enough then but you haven't really saved anything by doing it and you have put an upper limit on the number of registered users.

Just to be exact, if you only allow letters and numbers you would be limiting yourself to 376992 users only. (and to take it a little further, boards passed that number in September last year)

Eh? 26 characters plus 10 numerals (26+10)^5 = 60,466,176

If you allows upper and lower case letters: 62^5 = 916,132,832

Besides, there's no good reason that a password should be limited like that.

What if I want a very long username? Also there's the fact that you have to press tab....

The Left Hand Of God

dolphin.

Its not like anyone else will use it.

The Left Hand Of God

red menace wrote: »

I also work in IT and I know people are using the most retarded passwords ever
My current password is touching 30 characters long, it sometimes takes me more than one attempt to get it right

Do you agree with a 30 day forced password change limit?

I find that the most pity-full and stupid thing ever. Forces people to be stupid IMO

red menace

The Left Hand Of God wrote: »

Do you agree with a 30 day forced password change limit?

I find that the most pity-full and stupid thing ever. Forces people to be stupid IMO

It works if users are not allowed to reuse passwords or tack a number onto the end say password1 then password2 and so on

On the point of just using a password and no username
It would make brute forcing boards really simple.
Without the username being required any combination of characters could be tried and potentially loads of accounts could be comprimised

Knasher

SuperInfinity wrote: »

Eh? 26 characters plus 10 numerals (26+10)^5 = 5,2521,875.

If you allows upper and lower case letters: 62^5 = 916,132,832

It isn't 36 to the power of 5, it's 36 choose 5, because you need to pick exactly 5 characters. 62 choose 5 would give you 6471002, which is better but still wouldn't do for very large websites.

SuperInfinity wrote: »

Besides, there's no good reason that a password should be limited like that.

This is the limit you were proposing by asking for the first 5 characters to be unique. Obviously you could have an alias after you login, but that still doesn't do away with the limit.

SuperInfinity wrote: »

What if I want a very long username? Also there's the fact that you have to press tab....

Well they could allow aliasing.

SuperInfinity

The Left Hand Of God wrote: »

Do you agree with a 30 day forced password change limit?

I find that the most pity-full and stupid thing ever. Forces people to be stupid IMO

Yes I've always thought that to be ridiculous. Most people just append their password with a number and cycle through them anyway.

Krusader

Logging in on different PCs, people can have the same password but not the same username

SuperInfinity

red menace wrote: »

It would make brute forcing boards really simple.
Without the username being required any combination of characters could be tried and potentially loads of accounts could be comprimised

This isn't true at all. That's like saying any combination of usernames and passwords could be tried. The "tab" between your username and password is the exact same as having a known character somewhere in the middle of the password-only one. Any potential implementation of it to make it harder to brute-force (no) could be directly copied in the password-only scenario by treating the first and second parts differently.

Truecrypt for example doesn't have any "user name" required. You can use keyfiles but they're not to avoid bruteforcing a password.

Knasher

SuperInfinity wrote: »

This isn't true at all. That's like saying any combination of usernames and passwords could be tried. The "tab" between your username and password is the exact same as having a known character somewhere in the middle of the password. Any implementation of it to make it harder to brute-force could be directly copied in the password-only scenario by treating the first and second parts differently.

Truecrypt for example doesn't have any "user name" required. You can use keyfiles but they're not to avoid bruteforcing a password.

It is true. When you have usernames and passwords you can know the username, but you would need to try many passwords in order to get the right one, because there is only one right one. If it was just passwords, then it would be much easier to get an account. Not a specific account mind you, just a random one, simply because there are many right passwords that would get you in.

The reason you don't need a username for truecrypt is because there is only one correct password.

SuperInfinity

Knasher wrote: »

It is true. When you have usernames and passwords you can know the username, but you would need to try many passwords in order to get the right one. If it was just passwords, then it would be much easier to get an account. Not a specific account mind you, just a random one.

The reason you don't need a username for truecrypt is because there is only one correct password.

It would only be easier if the username + password was exactly equal to the password alone and all characters allowed in passwords were also allowed in usernames because of the seperation of them which is equivalent to the use of "tab". The amount of different possibilities given by tab is the length minus 1, and so would rarely be as much as another character (password would have to be over ~128 characters long).

Also if you had access to the list of usernames, or to the username that you wanted, obviously that would be vasty easier than a long password.

Yakult

KeithM89 wrote: »

Well i hope no one else is using 'password' as their password....

That's too easy, I added 321 to the end of it and no one has go it.

vibe666

SuperInfinity wrote: »

This isn't true at all. That's like saying any combination of usernames and passwords could be tried.

no it isn't.

if you have NO username and say a 15 character password it's going to be very difficult for anyone to guess what it is. if you have a board with 1,000,000 users it's going to be a hell of a lot easier to guess what any one or even some of those passwords are using brute force, particularly if you know that it NEEDS to be a long password as you can remove anything shorter than the minimum password length from the attack. BUT simply adding a username means that you have to guess every possible password until you get the right one for EACH user, not just guess the right password for any user.

if you really don't like typing in usernames & passwords all the time then use something like lastpass with a strong master password and let it handle everything else online for you.

Knasher

Actually sorry, realised I was wrong with my maths up above. Red faced now and tired I think I'll bow out before I make a further fool of myself.

I don't concede the point though, I just don't trust my maths at this point to argue it.

vibe666

SuperInfinity wrote: »

It would only be easier if the username + password was exactly equal to the password alone and all characters allowed in passwords were also allowed in usernames because of the seperation of them which is equivalent to the use of "tab".

if it makes you feel better, you can just pretend that you don't have a username at all and that your password is actually yourusernameTAByourpassword and that it's only for extra security that boards.ie separates them into two different boxes and your problem is instantly solved.

Knasher wrote: »

Actually sorry, realised I was wrong with my maths up above. Red faced now and tired I think I'll bow out before I make a further fool of myself.

ah c'mon, that's not how boards works, you have to argue your point* regardless of any merit it may or may not have, even in the face of overwhelming criticism and/or self doubt. :pac:

*i'm actually shit at maths, so you might well be correct, i wouldn't know either way.

SuperInfinity

vibe666 wrote: »

no it isn't.

if you have NO username and say a 15 character password it's going to be very difficult for anyone to guess what it is. if you have a board with 1,000,000 users it's going to be a hell of a lot easier to guess what any one or even some of those passwords are using brute force, particularly if you know that it NEEDS to be a long password as you can remove anything shorter than the minimum password length from the attack. BUT simply adding a username means that you have to guess every possible password until you get the right one for EACH user, not just guess the right password for any user.

if you really don't like typing in usernames & passwords all the time then use something like lastpass with a strong master password and let it handle everything else online for you.

vibe666.

You are wrong. I said the exact same length password as password + username. I have told you all you need to know to work it out and only stated the obvious. Now leave me alone, but remember you are wrong.

red menace

SuperInfinity wrote: »

vibe666.

You are wrong. I said the exact same length password as password + username. I have told you all you need to know to work it out and only stated the obvious. Now leave me alone, but remember you are wrong.

Your true crypt example is invalid as there is only one outcome- decrypting the file
If you have a rainbow table and a known site that uses just passwords and no username for authentication you only need to try the passwords from a rainbow table or the like.
For a given list of passwords you are sure to comprimise a number of accounts
Just hit the tab buddy

vibe666

SuperInfinity wrote: »

vibe666.

You are wrong. I said the exact same length password as password + username. I have told you all you need to know to work it out and only stated the obvious. Now leave me alone, but remember you are wrong.

you can't just say something to make it true, no matter how much you want it to be the case.

you are welcome to think what you like of course, but it doesn't change the facts, and the facts are that there is a very good reason why it's the accepted standard for pretty much every login you can think of on a global scale, specifically because it is more secure than just a password alone, regardless of how that password is made up.

the simple truth is, that the more factors you have for a particular account, the more secure it is likely to be. why do you think most online banking has a 3 factor login?

i know you really want your idea to make sense, but it just doesn't and you need to realise that there is a big difference between having a strong opinion about something and having a valid point and sticking your fingers in your ears and telling them to go away just because someone disagrees with you will solve nothing.

SuperInfinity

vibe666 wrote: »

the simple truth is, that the more factors you have for a particular account, the more secure it is likely to be. why do you think most online banking has a 3 factor login?

I tried to explain that if you really wanted to, you could have a different known character replacing tab somewhere between the first and last characters. And how this would only multiply the possible variations of it by the number of characters minus 1. Like if we say underscore:

tskjalksdfdkj_lksjadkfasldkfekskjae

could be one of them. This is the exact same as splitting them up. The only difference with a password one longer than it is that the underscore could be any character.

Now that's it, I'm done. It's beyond me to explain it in any simpler terms and you can accuse me of trying to force myself being right or anything else, I don't really care. I am not the type who goes around trying to "win" arguments, I'm just trying to honestly say how it works.

There is nothing I am more sure about in the entire world. What you are trying to say is that (72^14)*14 is bigger than 72^15 and I am telling you it is not.

vibe666

SuperInfinity wrote: »

could be one of them. This is the exact same as splitting them up. The only difference with a password one longer than it is that the underscore could be any character.

in that case, regardless of who is right and who is wrong on the maths/security part of it, what difference does it even make at all what button you hit to go from your username to your password when what you are suggesting (by your own admission) amounts to basically the same thing?

for something such as a web forum, all an attacker has to do is register as a new user and they instantly have access to every registered username for that site, so all they have to do then is crack the password (or in your case the 2nd half of the password since the first half is the username anyway).

obviously, with the main difference here being that the entire world has already been using the current method for many years and not only is everything set up for that to work, but everyone is used to doing it that way so why would anyone want to change it now?

the merits of a 2 factor username & password login are pretty obvious as they are still pretty secure but much easier to remember than a 20 character random string of letters, numbers and symbols.

this isn't about arguing or winning, this is about you presenting an idea for people to review and critique and judge it on it's potential merits, so if you believe in what you are putting forward to the forum, then at the very least i think you would be willing to defend it.

SuperInfinity

vibe666 wrote: »

in that case, regardless of who is right and who is wrong on the maths/security part of it, what difference does it even make at all what button you hit to go from your username to your password when what you are suggesting (by your own admission) amounts to basically the same thing?

for something such as a web forum, all an attacker has to do is register as a new user and they instantly have access to every registered username for that site, so all they have to do then is crack the password (or in your case the 2nd half of the password since the first half is the username anyway).

In my scenario, there is no need for them to have access to the 1st part of the password either. If all of the usernames are available (as they usually are), then the attacker just has to go through that many usernames. Bruteforcing with the list of usernames available would only be as hard as bruteforcing 2-3 extra characters. 70^2 or 70^3.

vibe666 wrote: »

obviously, with the main difference here being that the entire world has already been using the current method for many years and not only is everything set up for that to work, but everyone is used to doing it that way so why would anyone want to change it now?

the merits of a 2 factor username & password login are pretty obvious as they are still pretty secure but much easier to remember than a 20 character random string of letters, numbers and symbols.

But for one thing you can see the usernames, as mentioned above. This is partly why some websites have you log in using your email address instead of your username. But there's no magic that happens when you have two different fields, it would be the same as entering one unique password.

You wouldn't have to have 20 random characters. A lot of the point is that you need less characters. This would allow you to have long usernames without having to type it in all the time.

vibe666 wrote: »

this isn't about arguing or winning, this is about you presenting an idea for people to review and critique and judge it on it's potential merits, so if you believe in what you are putting forward to the forum, then at the very least i think you would be willing to defend it.

I am willing to defend it, that's why I'm arguing for its merits.