

Ask HN: Why are usernames not secured like passwords? - buzzlightyear

So we often hear about data breaches, but why are we not encrypting usernames and emails addresses alongside passwords? Is this just because it will require too much computing power and slow down login processes?
I just think that a secure login, means a secure username along with a secure password??
======
ljoshua
In a secure environment, your password will be hashed (not encrypted), meaning
there's only one way that the information can flow--toward the hash. This is
secure because it allows for matching against the hash without actually
knowing the original password.

However, usernames have to be displayed, shared, searched, etc. It could in
theory be possible to encrypt this, but with the requirement that it be two
way (so as to allow display), it is more trouble than it is worth, with
minimal security gained. Most security researchers would probably also point
out that if you are able to get to a point where you are dumping a database of
user credentials and emails, you are probably also going to be able to
retrieve the encryption key, rendering all of that encryption moot.

------
lmm
If you don't need an insecure thing, why bother with a username at all? Just
have a secure password with appropriate requirements.

I've done similar things and it makes life hard. People need a way to refer to
specific accounts, to talk about them, to troubleshoot. And for most sites
your username is a public identifier, a way for other people to talk about
you.

But look at the way AWS credentials work. They're generated for you by the
system, and no-one refers to someone else's login. But they still, very
deliberately, split your AWS key into a public part and a secret part. Because
it's very useful to have a public identity for a credential.

------
topherTopher
Often the usernames and email addresses ARE secured, in that all the data at
rest is encrypted. But passwords are additionally hashed so that even people
with access to the data don't know what your password is.

------
iSloth
Usernames are an identity or alias that is typically public and matching over
a number of services; to increase security you should look at two factor
authentication, and not crudely obscuring the username.

------
chrisxcross
Wirting an email to
b63954c01ec5069d16b5bfc0cd7c2684317c195c63470ddc8826928beb21909b will get
hard...

