What is the point in using your username to log in?

SuperInfinity

Knasher wrote: »

That's equivalent to putting a limit of 5 letters to user names. It's safe enough then but you haven't really saved anything by doing it and you have put an upper limit on the number of registered users.

Just to be exact, if you only allow letters and numbers you would be limiting yourself to 376992 users only. (and to take it a little further, boards passed that number in September last year)

Eh? 26 characters plus 10 numerals (26+10)^5 = 60,466,176

If you allows upper and lower case letters: 62^5 = 916,132,832

Besides, there's no good reason that a password should be limited like that.

What if I want a very long username? Also there's the fact that you have to press tab....

The Left Hand Of God

dolphin.

Its not like anyone else will use it.

The Left Hand Of God

red menace wrote: »

I also work in IT and I know people are using the most retarded passwords ever
My current password is touching 30 characters long, it sometimes takes me more than one attempt to get it right

Do you agree with a 30 day forced password change limit?

I find that the most pity-full and stupid thing ever. Forces people to be stupid IMO

red menace

The Left Hand Of God wrote: »

Do you agree with a 30 day forced password change limit?

I find that the most pity-full and stupid thing ever. Forces people to be stupid IMO

It works if users are not allowed to reuse passwords or tack a number onto the end say password1 then password2 and so on

On the point of just using a password and no username
It would make brute forcing boards really simple.
Without the username being required any combination of characters could be tried and potentially loads of accounts could be comprimised

Knasher

SuperInfinity wrote: »

Eh? 26 characters plus 10 numerals (26+10)^5 = 5,2521,875.

If you allows upper and lower case letters: 62^5 = 916,132,832

It isn't 36 to the power of 5, it's 36 choose 5, because you need to pick exactly 5 characters. 62 choose 5 would give you 6471002, which is better but still wouldn't do for very large websites.

SuperInfinity wrote: »

Besides, there's no good reason that a password should be limited like that.

This is the limit you were proposing by asking for the first 5 characters to be unique. Obviously you could have an alias after you login, but that still doesn't do away with the limit.

SuperInfinity wrote: »

What if I want a very long username? Also there's the fact that you have to press tab....

Well they could allow aliasing.

SuperInfinity

The Left Hand Of God wrote: »

Do you agree with a 30 day forced password change limit?

I find that the most pity-full and stupid thing ever. Forces people to be stupid IMO

Yes I've always thought that to be ridiculous. Most people just append their password with a number and cycle through them anyway.

Krusader

Logging in on different PCs, people can have the same password but not the same username

SuperInfinity

red menace wrote: »

It would make brute forcing boards really simple.
Without the username being required any combination of characters could be tried and potentially loads of accounts could be comprimised

This isn't true at all. That's like saying any combination of usernames and passwords could be tried. The "tab" between your username and password is the exact same as having a known character somewhere in the middle of the password-only one. Any potential implementation of it to make it harder to brute-force (no) could be directly copied in the password-only scenario by treating the first and second parts differently.

Truecrypt for example doesn't have any "user name" required. You can use keyfiles but they're not to avoid bruteforcing a password.

Knasher

SuperInfinity wrote: »

This isn't true at all. That's like saying any combination of usernames and passwords could be tried. The "tab" between your username and password is the exact same as having a known character somewhere in the middle of the password. Any implementation of it to make it harder to brute-force could be directly copied in the password-only scenario by treating the first and second parts differently.

Truecrypt for example doesn't have any "user name" required. You can use keyfiles but they're not to avoid bruteforcing a password.

It is true. When you have usernames and passwords you can know the username, but you would need to try many passwords in order to get the right one, because there is only one right one. If it was just passwords, then it would be much easier to get an account. Not a specific account mind you, just a random one, simply because there are many right passwords that would get you in.

The reason you don't need a username for truecrypt is because there is only one correct password.

SuperInfinity

Knasher wrote: »

It is true. When you have usernames and passwords you can know the username, but you would need to try many passwords in order to get the right one. If it was just passwords, then it would be much easier to get an account. Not a specific account mind you, just a random one.

The reason you don't need a username for truecrypt is because there is only one correct password.

It would only be easier if the username + password was exactly equal to the password alone and all characters allowed in passwords were also allowed in usernames because of the seperation of them which is equivalent to the use of "tab". The amount of different possibilities given by tab is the length minus 1, and so would rarely be as much as another character (password would have to be over ~128 characters long).

Also if you had access to the list of usernames, or to the username that you wanted, obviously that would be vasty easier than a long password.

Yakult

KeithM89 wrote: »

Well i hope no one else is using 'password' as their password....

That's too easy, I added 321 to the end of it and no one has go it.

vibe666

SuperInfinity wrote: »

This isn't true at all. That's like saying any combination of usernames and passwords could be tried.

no it isn't.

if you have NO username and say a 15 character password it's going to be very difficult for anyone to guess what it is. if you have a board with 1,000,000 users it's going to be a hell of a lot easier to guess what any one or even some of those passwords are using brute force, particularly if you know that it NEEDS to be a long password as you can remove anything shorter than the minimum password length from the attack. BUT simply adding a username means that you have to guess every possible password until you get the right one for EACH user, not just guess the right password for any user.

if you really don't like typing in usernames & passwords all the time then use something like lastpass with a strong master password and let it handle everything else online for you.

Knasher

Actually sorry, realised I was wrong with my maths up above. Red faced now and tired I think I'll bow out before I make a further fool of myself.

I don't concede the point though, I just don't trust my maths at this point to argue it.

vibe666

SuperInfinity wrote: »

It would only be easier if the username + password was exactly equal to the password alone and all characters allowed in passwords were also allowed in usernames because of the seperation of them which is equivalent to the use of "tab".

if it makes you feel better, you can just pretend that you don't have a username at all and that your password is actually yourusernameTAByourpassword and that it's only for extra security that boards.ie separates them into two different boxes and your problem is instantly solved.

Knasher wrote: »

Actually sorry, realised I was wrong with my maths up above. Red faced now and tired I think I'll bow out before I make a further fool of myself.

ah c'mon, that's not how boards works, you have to argue your point* regardless of any merit it may or may not have, even in the face of overwhelming criticism and/or self doubt. :pac:

*i'm actually shit at maths, so you might well be correct, i wouldn't know either way.

SuperInfinity

vibe666 wrote: »

no it isn't.

if you have NO username and say a 15 character password it's going to be very difficult for anyone to guess what it is. if you have a board with 1,000,000 users it's going to be a hell of a lot easier to guess what any one or even some of those passwords are using brute force, particularly if you know that it NEEDS to be a long password as you can remove anything shorter than the minimum password length from the attack. BUT simply adding a username means that you have to guess every possible password until you get the right one for EACH user, not just guess the right password for any user.

if you really don't like typing in usernames & passwords all the time then use something like lastpass with a strong master password and let it handle everything else online for you.

vibe666.

You are wrong. I said the exact same length password as password + username. I have told you all you need to know to work it out and only stated the obvious. Now leave me alone, but remember you are wrong.

red menace

SuperInfinity wrote: »

vibe666.

You are wrong. I said the exact same length password as password + username. I have told you all you need to know to work it out and only stated the obvious. Now leave me alone, but remember you are wrong.

Your true crypt example is invalid as there is only one outcome- decrypting the file
If you have a rainbow table and a known site that uses just passwords and no username for authentication you only need to try the passwords from a rainbow table or the like.
For a given list of passwords you are sure to comprimise a number of accounts
Just hit the tab buddy

vibe666

SuperInfinity wrote: »

vibe666.

You are wrong. I said the exact same length password as password + username. I have told you all you need to know to work it out and only stated the obvious. Now leave me alone, but remember you are wrong.

you can't just say something to make it true, no matter how much you want it to be the case.

you are welcome to think what you like of course, but it doesn't change the facts, and the facts are that there is a very good reason why it's the accepted standard for pretty much every login you can think of on a global scale, specifically because it is more secure than just a password alone, regardless of how that password is made up.

the simple truth is, that the more factors you have for a particular account, the more secure it is likely to be. why do you think most online banking has a 3 factor login?

i know you really want your idea to make sense, but it just doesn't and you need to realise that there is a big difference between having a strong opinion about something and having a valid point and sticking your fingers in your ears and telling them to go away just because someone disagrees with you will solve nothing.

SuperInfinity

vibe666 wrote: »

the simple truth is, that the more factors you have for a particular account, the more secure it is likely to be. why do you think most online banking has a 3 factor login?

I tried to explain that if you really wanted to, you could have a different known character replacing tab somewhere between the first and last characters. And how this would only multiply the possible variations of it by the number of characters minus 1. Like if we say underscore:

tskjalksdfdkj_lksjadkfasldkfekskjae

could be one of them. This is the exact same as splitting them up. The only difference with a password one longer than it is that the underscore could be any character.

Now that's it, I'm done. It's beyond me to explain it in any simpler terms and you can accuse me of trying to force myself being right or anything else, I don't really care. I am not the type who goes around trying to "win" arguments, I'm just trying to honestly say how it works.

There is nothing I am more sure about in the entire world. What you are trying to say is that (72^14)*14 is bigger than 72^15 and I am telling you it is not.

vibe666

SuperInfinity wrote: »

could be one of them. This is the exact same as splitting them up. The only difference with a password one longer than it is that the underscore could be any character.

in that case, regardless of who is right and who is wrong on the maths/security part of it, what difference does it even make at all what button you hit to go from your username to your password when what you are suggesting (by your own admission) amounts to basically the same thing?

for something such as a web forum, all an attacker has to do is register as a new user and they instantly have access to every registered username for that site, so all they have to do then is crack the password (or in your case the 2nd half of the password since the first half is the username anyway).

obviously, with the main difference here being that the entire world has already been using the current method for many years and not only is everything set up for that to work, but everyone is used to doing it that way so why would anyone want to change it now?

the merits of a 2 factor username & password login are pretty obvious as they are still pretty secure but much easier to remember than a 20 character random string of letters, numbers and symbols.

this isn't about arguing or winning, this is about you presenting an idea for people to review and critique and judge it on it's potential merits, so if you believe in what you are putting forward to the forum, then at the very least i think you would be willing to defend it.

SuperInfinity

vibe666 wrote: »

in that case, regardless of who is right and who is wrong on the maths/security part of it, what difference does it even make at all what button you hit to go from your username to your password when what you are suggesting (by your own admission) amounts to basically the same thing?

for something such as a web forum, all an attacker has to do is register as a new user and they instantly have access to every registered username for that site, so all they have to do then is crack the password (or in your case the 2nd half of the password since the first half is the username anyway).

In my scenario, there is no need for them to have access to the 1st part of the password either. If all of the usernames are available (as they usually are), then the attacker just has to go through that many usernames. Bruteforcing with the list of usernames available would only be as hard as bruteforcing 2-3 extra characters. 70^2 or 70^3.

vibe666 wrote: »

obviously, with the main difference here being that the entire world has already been using the current method for many years and not only is everything set up for that to work, but everyone is used to doing it that way so why would anyone want to change it now?

the merits of a 2 factor username & password login are pretty obvious as they are still pretty secure but much easier to remember than a 20 character random string of letters, numbers and symbols.

But for one thing you can see the usernames, as mentioned above. This is partly why some websites have you log in using your email address instead of your username. But there's no magic that happens when you have two different fields, it would be the same as entering one unique password.

You wouldn't have to have 20 random characters. A lot of the point is that you need less characters. This would allow you to have long usernames without having to type it in all the time.

vibe666 wrote: »

this isn't about arguing or winning, this is about you presenting an idea for people to review and critique and judge it on it's potential merits, so if you believe in what you are putting forward to the forum, then at the very least i think you would be willing to defend it.

I am willing to defend it, that's why I'm arguing for its merits.

vibe666

SuperInfinity wrote: »

I am willing to defend it, that's why I'm arguing for its merits.

good stuff, that's the spirit!

i'm stuck working at the minute, so i'm going to have a proper think about it again over the weekend and i'll get back to you, but in the meantime i'm sure i hope someone will think of something clever to say on the subject so i don't have to think too hard.

Knasher

Had a quick look at this (now with 100% better maths) and I have come to the conclusion (ignoring things like having obvious passwords) that a password which is exactly as long as the username and password combined are equally secure if you have the maximum number of users allowed by the system. In any other case SuperInfinity's system would win. (plus you save the tab keystroke)

So I happily concede the point to SuperInfinity.

The only caveat is that the password does still have to be unique so it would probably need to be randomly generated password and therefore unique for every site and also quite long. So from a usability standpoint I'm happier with the system as is.

KeithM89

KeithM89 wrote: »

Well i hope no one else is using 'password' as their password....

Damnit...