

Ask HN: Security of a username/pw combo vs a username of the same lenth - byjess

Which is more secure?<p>For example if my dual string login is username "joebob" and my password is "helloworld", is this more secure than a single string login where my input is simply "joebobhelloworld"?
======
selectnull
Those two things are not the same thing at all. For example, let's say I want
to create new account in your application and you ask me to enter u/p. I enter
the string that is already used by another user, so I should choose another
one. Except, now I can login with another's person u/p combo.

I don't see any reason why you should do a single string login.

~~~
byjess
Good point

------
andrewcooke
secure against what attack? in general, a single (longer) username is less
secure:

it's less secure against someone looking over your shoulder and seeing your
username displayed on the screen.

it's less secure than someone watching you log in and reading the username
displayed as plaintext in the login interface.

it's less secure if the username is stored unencrypted (if the password is
encrypted) and someone gains access to the database.

however, it is _more_ secure if all information is encrypted (and someone
gains access to the database).

the last point may be unintuitive, since the "amount of information" is the
same, but k^n + k^m < k^(n+m) (for reasonable values of k, n and m).

(if k is the number of bits per character, and n is the number of characters
in a words, then k^n is proportional to the cost of guessing - it's easier to
guess two halves of something than to guess the whole) (think of hangman - the
game would be no fun at all if you had to guess whole words; being able to
guess letters - word fragments - makes it much easier)

~~~
byjess
Thanks, so it would be more secure against brute force attempts. Also, if it
were encrypted and type as dots, it would be more secure in general.

------
japhyr
I don't see why you'd want to do this. You want to keep the username in plain
text for many reasons, and hash the password for security reasons. If you put
them together you either keep it in plain text and lose security, or hash it
properly and lose the ability to display usernames in your site.

------
byjess
accei guess the biggest problem is that a long pass phrase would tend to
logical phrases like 'willyoumarrymeedward' where as user name and passwords
rarely form a logical phrase. So guessing at valid passphrases would be easier
to do

