Hacker News new | past | comments | ask | show | jobs | submit login

You could use a username too, right? Because <unique username> + <any password> should be unique.



Not really. A username of 8 characters and a password of 8 characters ensures no more entropy than a password of 16 characters and not bothering with a username.

It might even provide less, given that the user is more likely to share their username with others than they are to share half their password.


How about a long-ish memorable phrase and password, encrypted with scrypt? Hit the output with base64 and use the first N characters of the, possibly hashed, result (haven't tried it, so I'm not sure what stage of the output would be most memorable). The results should be about as easy to remember as a routing number + bank account, which is something my friends and I all do.


I meant that you can enforce uniqueness for usernames more easily than for passwords.


Not quite. Say user "fortunate_sonar" uses "arkansas" for a password, and "fortunate_son" uses "kansas" as a password. You can use a delimiter to reduce the chances of that happening, but it's not strictly unique.


Well, if you use a delimiter which you forbid in usernames and Passwords it should be okay, no?


You mixed the passwords up.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: