

Ask HN: Why aren't usernames encrypted? - tvladeck

It seems to me that password cracking strategies should actually happen the other way. I.e., the attacker should in most cases be trying to crack a <i>username</i>, not a password.<p>Assuming for a moment that an attacker simply wants to compromise as many accounts as possible -- without caring to compromise a <i>particular</i> account -- that it would be easier to:<p>-start with a list of common passwords, and<p>-try them in succession on a list of usernames<p>It seems that this should be a more attractive strategy than trying to take a username and then guess at a password, because most of the security around passwords is not applied to usernames.<p>If this is possible, then it seems to me that usernames should be encrypted as well. Why aren't they?
======
DigitalSea
It would just been unnecessary overhead to be honest. Remember everything that
is encrypted needs to be decrypted and depending on the complexity of the
encryption algorithm being used, it could end up causing more problems than it
would likely solve. I often forget my usernames for various services so being
able to be sent my username without having to reset my password or anything is
very helpful.

A properly built web application should throttle dictionary attacks out-of-
the-box and safeguard against these kinds of common username and common
password list attacks which are very inefficient. Plus, if the attack is
originating via a login form you're not really protecting anyone because the
username and password are being sent as plaintext to the server and would be
encrypted anyway. Throttling and banning rapid login attempts is the only way
to efficiently go in this instance.

The only benefit I could see is if someone were to gain access to your
database and dump out all of the rows of your users table, then encrypted
usernames might make sense (but still not in a way) because you'd most likely
have identifiable unencrypted information still in the database like names,
locations and email addresses. If you were to encrypt everything, you're
crazy.

You would then run into problems if you were running a forum for example and
wanted to show the usernames of users online or the username of someone who
authored a thread. Think about it, you'd be decrypting that username and then
caching it somewhere in plaintext anyway (unless you fancy straight-up
repeated database calls for the same information over and over again).

------
professorTuring
Basically, you don't cypher the usernames because it is useless.

Think about usernames: most of them are short, concise, common and even
_public_. It will take no time to decypher with a tailored dictionary attack.

So, at the end, if you cypher the usernames you are adding complexity to a
system adding none or very little extra security.

Worthless effort.

------
rrrhys
The support overhead of users not seeing 'who' they are may not be worth the
extra security.

~~~
tvladeck
Hmmm... but you could always reset your username by email, right? You could
also use a separate unique identifier for support purposes, but not use it for
authentication.

~~~
rrrhys
I consider username/email to be pretty synonymous, don't you think?

------
runjake
Because aside from practicality issues, rainbow tables.

