social_experiment wrote:That way when you post, people see that 'Kai' has made the post but they have no idea that your username is 'kaisellgren'.
Yeah, it's something that happens in a lot of places. I am not saying that it is bad -- I am saying that this is not downright more secure than using, say, an email and a password. I'm very happy to let you all know my username. I can also tell that I use it everywhere as is. It's being used to by this forum and other websites to identify a particular row in the database -- and the password, which is what makes my account secure, proves my identity.
social_experiment wrote: Identification : Identify user to others via a screen-name, in a setup like a forum,
I'm sure that it can be called identification, but I was talking in technical terms -- system wise. The username is there to let the application know who you are. And the password lets the application decide whether you have successfully been identified as the one. For example, if you log in with a user id and a password, the id maps to a particular database row. That's its job. The password, on the other hand, proves if you are the "row".
The more secure you wish your account to be, the stronger your password has to be. The strength of your account increase linearly as much as the strength of your password, but if you use your username as part of it, then it's a complex mix of the both -- and therefore it's hard to estimate the overall strength of your account and to decide whether you have placed enough strength in it. In both cases, you can achieve the same level of strength, but in the case of secret usernames, we violate the
KIS(S) principle in addition. Therefore, I can't agree using usernames and passwords being more secure than, say, emails and passwords. After all, the most important factor is the user -- he is what makes his account either secure or insecure, but in the battle between usernames + passwords and emails + passwords, I will never agree the former inherently being more secure.