Page 3 of 3
Re: email vs username for login
Posted: Tue Sep 14, 2010 3:20 am
by timWebUK
Weirdan wrote: But it's less secure than known username of length y + unknown password of length x+y
I don't understand, you're going to have to explain what 'unknown password of length x + y' is.
Because whatever x+y is, the whole account is going to be more secure if the username is unknown.
Known user + password (x+y)
vs
Unknown user + password (x+y)
I fail to see how you can't understand the benefits.
Re: email vs username for login
Posted: Tue Sep 14, 2010 1:14 pm
by kaisellgren
social_experiment wrote:That way when you post, people see that 'Kai' has made the post but they have no idea that your username is 'kaisellgren'.
Yeah, it's something that happens in a lot of places. I am not saying that it is bad -- I am saying that this is not downright more secure than using, say, an email and a password. I'm very happy to let you all know my username. I can also tell that I use it everywhere as is. It's being used to by this forum and other websites to identify a particular row in the database -- and the password, which is what makes my account secure, proves my identity.
social_experiment wrote: Identification : Identify user to others via a screen-name, in a setup like a forum,
I'm sure that it can be called identification, but I was talking in technical terms -- system wise. The username is there to let the application know who you are. And the password lets the application decide whether you have successfully been identified as the one. For example, if you log in with a user id and a password, the id maps to a particular database row. That's its job. The password, on the other hand, proves if you are the "row".
The more secure you wish your account to be, the stronger your password has to be. The strength of your account increase linearly as much as the strength of your password, but if you use your username as part of it, then it's a complex mix of the both -- and therefore it's hard to estimate the overall strength of your account and to decide whether you have placed enough strength in it. In both cases, you can achieve the same level of strength, but in the case of secret usernames, we violate the
KIS(S) principle in addition. Therefore, I can't agree using usernames and passwords being more secure than, say, emails and passwords. After all, the most important factor is the user -- he is what makes his account either secure or insecure, but in the battle between usernames + passwords and emails + passwords, I will never agree the former inherently being more secure.
Re: email vs username for login
Posted: Tue Sep 14, 2010 5:29 pm
by social_experiment
@ Kai : Everything you say makes perfect sense, i don't dispute it one bit. Thanks for clearing up the indentification term.
The weakest link in the whole security chain probably is the end-user who writes down passwords, picks easily geussable passwords and does the unthinkable by doubling a username up as a password. Until they make a smarter user developers will be burdened with this and other aspects of security.
I found the following passage in a book about php under the chapter of security that summarizes my opinion about this topic and it reads as follows :
...minimizing the information available to hackers makes getting in much harder for them.
Re: email vs username for login
Posted: Thu Sep 16, 2010 4:08 am
by jarofgreen
Exactly, the weakest point is the user.
Another thing is that the harder security is the more users will tend to write things down. I once saw an office where they needed to share calendars but central IT security wouldn't let them. So they printed up a nice sheet with everyone's password on and gave everyone a copy.
It's not as simple as x bits of information > y bits of information therefore is better! Above a certain point your users are going to get annoyed and start conspiring to actively make your security worse.
(Sorry if this point has already been made, I've only been skimming the discussion at times ..)
Re: email vs username for login
Posted: Sat Sep 18, 2010 12:49 pm
by jarofgreen
I'm actually really interested in this topic, I just think the debate needs to acknowledge both that users are the weak point here and that all security is a balance between "secure" and "useful" (The most secure webserver is one turned off, after all). The focus should be on designing a useful system that encourages users to be secure.
For instance, username may be theoretically better than password but if that means a large portion of your users can never remember their username, always have to go thru a forgotten username procedure, and eventually get annoyed and leave is it better?
Maybe there is no right answer and it always depends on the situation ...
Re: email vs username for login
Posted: Mon Sep 20, 2010 8:40 am
by social_experiment
jarofgreen wrote:I just think the debate needs to acknowledge both that users are the weak point here and that all security is a balance between "secure" and "useful" (The most secure webserver is one turned off, after all).
If the application requires a commonly know value (such as an email address) to log you in, the problem is more towards the application and less to the side of the end-user. Even if person Z chose a secure password, having a known value as 'login'-username format (an email addreses) renders the password only half as effective imho.
Re: email vs username for login
Posted: Fri Sep 24, 2010 12:59 pm
by jarofgreen
Yes, email is certainly less secure than username. But what about the point that MichaelR and I made that people can and do forget user-names but not email addresses - basically that email addresses are more user-friendly? Do you think there is a balance between security and ease of use?
Re: email vs username for login
Posted: Fri Sep 24, 2010 1:30 pm
by VladSun
jarofgreen wrote:Do you think there is a balance between security and ease of use?
No.

"ease" of use and "security" can not be used in one sentence

Re: email vs username for login
Posted: Sat Sep 25, 2010 3:05 am
by social_experiment
jarofgreen wrote:Yes, email is certainly less secure than username. But what about the point that MichaelR and I made that people can and do forget user-names but not email addresses - basically that email addresses are more user-friendly?
The email address per se is not less secure, the problem i see is the fact that every user uses their email address (as a username). Thus : the application assumes 'All my users are going to forget their usernames (at some point), so i will just make it
convenient and
easy for them to log in'. This creates a pattern that any person can attempt to exploit. Instead, what the application should do is the following : Offer the option of a username (and here 'ease of use' comes into play) that is chosen by the user. Now you can use your email address for a username if you really think you won't remember it. Yes, there is still the possibility of attack (there always is) but the pattern is less obvious.
And if you really think that you will forget your username and password, write it down on a piece of paper (non-digital), put it in a safe or somewhere secure. This way, even if you forget it after continious use, it is available to you in a secure non-digital place.
jarofgreen wrote:Do you think there is a balance between security and ease of use?
As things stand now, the balance is tipped towards ease of use but as Vladsun said, you can't use those two words in the same sentence. The average user doesn't want to worry about security so they just stay oblivious about it, hoping no-one will attack their account. Of course, this scenarion doesn't offer much leeway because the username is 'pre-defined' in a sense, but even with this apparent problem, a large percentage of average users will still go for an easily guessable password and a 'It-wont-happen-to-me' attitude.