Page 2 of 3
Re: email vs username for login
Posted: Thu Sep 02, 2010 5:39 am
by Weirdan
tim and mordred: guys, you're missing the point of username / login / user id. It's not used for authentication per se. Instead, it's a part of claim-prove protocol. Consider the situation:
Chuck Norris comes to a party and faces a bouncer:
Chuck: Hello, I'm Chuck Norris. I'm on the list - let me in.
Bouncer: Prove it.
Chuck: *delivers roundhouse kick to the bouncer's face*
Bouncer: Ok, you may enter.
The point is: anyone can claim he's Chuck. Delivering proper kick is a bit harder
If you want the prove to be harder - just use longer passwords. 40 character password + public username is more secure than 10 character password and 10 character secret username.
Re: email vs username for login
Posted: Thu Sep 02, 2010 6:04 am
by Mordred
Oh, a long password is indubitably what's better for a person.
It's not what happens in the real world though. What happens in the real world is that it's filled with idiots, at least 1% (up to 2% IIRC) of which use their username as a password as well. That's the threat we're trying to mitigate here.
Wanna bet how many of the 128734 users here do? I predict 1500 at least.
Re: email vs username for login
Posted: Thu Sep 02, 2010 6:31 am
by Weirdan
Mordred wrote:What happens in the real world is that it's filled with idiots, at least 1% (up to 2% IIRC) of which use their username as a password as well. That's the threat we're trying to mitigate here.
That won't help, they will happily set all 3 fields (username, display name and password) to the same value.
Re: email vs username for login
Posted: Thu Sep 02, 2010 7:57 am
by social_experiment
In the claim-prove situation, wouldn't 2 unknows be more effective, assuming that in both instances (email as username & non-email as username) the user has chosen to go with a 40 character password?
If the idea of proving identity in an online situation is to be more difficult, both parts used for login has to be secret, or at least known by as few individuals as possible. Displaying usernames (conciously or involuntary) is definitely a problem that needs to be addressed, if not by current internet applications ,at least by those developers looking to create applications for the future.
Re: email vs username for login
Posted: Thu Sep 02, 2010 10:49 am
by timWebUK
Weirdan wrote:Mordred wrote:What happens in the real world is that it's filled with idiots, at least 1% (up to 2% IIRC) of which use their username as a password as well. That's the threat we're trying to mitigate here.
That won't help, they will happily set all 3 fields (username, display name and password) to the same value.
But seeing as we are discussing this issue from a developer perspective, there is no reason why we cannot enforce 3 unique (to one another) values.
Re: email vs username for login
Posted: Tue Sep 07, 2010 6:16 am
by Mordred
Weirdan wrote:That won't help, they will happily set all 3 fields (username, display name and password) to the same value.
Oh, you are right. This invalidates my argument.
timWebUK wrote:But seeing as we are discussing this issue from a developer perspective, there is no reason why we cannot enforce 3 unique (to one another) values.
This was my initial answer as well, but then I realized that we can simply force the same thing on the username and password in the first place.
-----
A side note to the other participants in the discussion:
The only point in splitting the secret in two parts, username and password is to be able to safely check for uniqueness, without revealing the whole secret to the checker. As an additional bonus, people (sometimes) use the unique part as a display name. Other than that there are no "two unknowns" or "two factors" or anything like that. It's one secret, split into two so we can enforce unique-ness in a part of it without revealing it to an outside person (i.e. a new user trying to register to the site ... with a password of "
password")
Re: email vs username for login
Posted: Sun Sep 12, 2010 6:07 am
by kaisellgren
I'm leading towards Weirdan. Fundamentally, the username or the email or whatever being used is just there to identify a particular user -- not to authenticate. The password is the one that authenticates the person. I prefer email + password, SSN + password or client certificates in some cases. I never allow the password to be the same as the email though, and I always display a password strength meter which is more or less correct, but at least reminds the user to choose a strong password -- if he cares about his account. I think it just makes the situation more complicated if the user has to choose a lot of different secret values that can none be known by others... and ultimately it goes like this: an email with x-bits of strength and a password with y-bits of strength both secret to others is as strong as public email and a password with x+y -bits of strength.
Re: email vs username for login
Posted: Mon Sep 13, 2010 3:07 am
by timWebUK
kaisellgren wrote:...and ultimately it goes like this: an email with x-bits of strength and a password with y-bits of strength both secret to others is as strong as public email and a password with x+y -bits of strength.
But then you could quite easily say a secret username with x bits of strength and a password y+z. It really is of no difficulty to the user to provide a username, password AND display name - and have the developer enforce each one as unique and there is no denying it does add an extra layer of security, whether a username's main intention is for identification and not authentication.
Re: email vs username for login
Posted: Mon Sep 13, 2010 9:32 am
by social_experiment
kaisellgren wrote:and ultimately it goes like this: an email with x-bits of strength and a password with y-bits of strength both secret to others is as strong as public email and a password with x+y -bits of strength
I disagree with this point. If strength is measured by the amount of time & resources is spent trying to crack an account wouldn't it be a logical conclusion to say two unknowns (albeit part of one secret) would require more time & resources to crack?
kaisellgren wrote:Fundamentally, the username or the email or whatever being used is just there to identify a particular user -- not to authenticate.
If this is true, wouldn't it be a fair assumption to say that the username, as it is used in the normal (standard it seems) login setup, could be completely left away? The name used to identify the user (to others on a forum for example) would be entered during the registration process and then has no effect on the security of the account. This would contradict my statement above but if the username is already known (and serves no purpose for authentication) why not leave it out of the process.
Re: email vs username for login
Posted: Mon Sep 13, 2010 9:43 am
by Weirdan
social_experiment wrote:
I disagree with this point. If strength is measured by the amount of time & resources is spent trying to crack an account wouldn't it be a logical conclusion to say two unknowns (albeit part of one secret) would require more time & resources to crack?
It doesn't matter how many chunks you split the secret into as long as their total length is the same.
social_experiment wrote:
If this is true, wouldn't it be a fair assumption to say that the username, as it is used in the normal (standard it seems) login setup, could be completely left away?
No. In the Chuck Norris scenario (described previously in this thread) if he didn't say he was Chuck the bouncer would have no way to know him from, say, Bruce Lee.
Re: email vs username for login
Posted: Mon Sep 13, 2010 10:03 am
by timWebUK
The total length maybe the same whether the username is known or not. But by decreasing the amount of known characters to the attacker, automatically increases the amount of time required to crack.
For example (assuming the two accounts below have the same credentials, the only difference is the username is unknown):
Username: timwebuk
Password: Unknown Length string with a worse case scenario character set: Mixed case alphanumeric + symbols
vs
Display Name: mr_chuck_norris
Username: Unknown Length string with a worse case scenario character set: Mixed case alphanumeric + symbols
Password: Unknown Length string with a worse case scenario character set: Mixed case alphanumeric + symbols
Clearly one will take less time and resource despite having the same length secret. The first attack will need to crack a shorter secret as it already has 'half'.
Also, what you're saying is pretty much the equivalent of someones password being MyP4s5W0Rd123, but we only have the first 5 characters 'MyP4s', will take just as long to crack as if we didn't have any of the characters.
Re: email vs username for login
Posted: Mon Sep 13, 2010 10:58 am
by Weirdan
You've missed the crucial point, reiterated both by Mordred and Kai: unknown username of length x + unknown password of length y is certainly more secure than known username of length x + unknown password of length y. But it's less secure than known username of length y + unknown password of length x+y, for the obvious reason of username required to be unique.
Re: email vs username for login
Posted: Mon Sep 13, 2010 11:27 am
by kaisellgren
social_experiment wrote:The name used to identify the user (to others on a forum for example) would be entered during the registration process and then has no effect on the security of the account.
Are you serious? Use a name to identify a person? That
partly works offline because human beings use other identification schemes like face recognization and voice recognization in addition to calling others' names. In online, however, using names to identify is futile.
social_experiment wrote:This would contradict my statement above but if the username is already known (and serves no purpose for authentication) why not leave it out of the process.
You need a way to identify the particular user. Identification, authentication and authorization are all different things. Leaving a username / id / email means we can no longer identify the person unless there is something else to it.
Re: email vs username for login
Posted: Mon Sep 13, 2010 12:54 pm
by social_experiment
Weirdan wrote:No. In the Chuck Norris scenario (described previously in this thread) if he didn't say he was Chuck the bouncer would have no way to know him from, say, Bruce Lee.
Since the name (Chuck Norris) is widely known, what if Bruce Lee did the perfect round-house kick? According to the example, he would then enter because he met the two requirements : a name and a round-house kick.
timWebUK wrote:The total length maybe the same whether the username is known or not. But by decreasing the amount of known characters to the attacker, automatically increases the amount of time required to crack.
Exactly my point
Weirdan wrote:It doesn't matter how many chunks you split the secret into as long as their total length is the same.
I get the point you are making about the length of the password & username combination but i would rather have my account protected by 2 unknown values then having one value (username) be public domain.
kaisellgren wrote:Are you serious? Use a name to identify a person? That partly works offline because human beings use other identification schemes like face recognization and voice recognization in addition to calling others' names. In online, however, using names to identify is futile.
We all identify each other by our 'names' here on the forum? I'm not refering to a name as firstname used in real life instances but to a identifying value that is not your username. So if you registered for a forum you would have username = 'kaisellgren', password = 'whateverthatmaybe' and screenname (or name if you will) = 'kai'. That way when you post, people see that 'Kai' has made the post but they have no idea that your username is 'kaisellgren'.
I might have the incorrect understanding of identification, authorization and authentication so i'll explain what i understand under each of the terms :
Identification : Identify user to others via a screen-name, in a setup like a forum,
Authentication : Check whether a user is the onwer of the account they are trying to access and
Authorization : Grant said user certain privileges after they have been authorized. Correct or not?
Re: email vs username for login
Posted: Mon Sep 13, 2010 2:28 pm
by MichaelR
A number of times I've gone back to a site I haven't visited in a while and have forgotten what username I used. I don't tend to forget my email address. So I'd go for email address simply because it's one less thing for the user to remember.
It could also allow for multiple usernames, if your site allowed such things. Plus, there's almost no chance of you typing in your email address and finding it's already in use -- and finding the same thing happens a few times -- except if someone else mistyped their address.
As for those saying usernames might be more secure than email addresses: if your password is able to be guessed (or forced) then it's too easy. So change it, and it won't be a problem. And anyway, if it's easy enough for a password to be forced then it'll be easy enough for a username (or email address) to be forced.