email vs username for login

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: email vs username for login

Post by Weirdan »

tim and mordred: guys, you're missing the point of username / login / user id. It's not used for authentication per se. Instead, it's a part of claim-prove protocol. Consider the situation:
Chuck Norris comes to a party and faces a bouncer:
Chuck: Hello, I'm Chuck Norris. I'm on the list - let me in.
Bouncer: Prove it.
Chuck: *delivers roundhouse kick to the bouncer's face*
Bouncer: Ok, you may enter.

The point is: anyone can claim he's Chuck. Delivering proper kick is a bit harder :)

If you want the prove to be harder - just use longer passwords. 40 character password + public username is more secure than 10 character password and 10 character secret username.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: email vs username for login

Post by Mordred »

Oh, a long password is indubitably what's better for a person.
It's not what happens in the real world though. What happens in the real world is that it's filled with idiots, at least 1% (up to 2% IIRC) of which use their username as a password as well. That's the threat we're trying to mitigate here.

Wanna bet how many of the 128734 users here do? I predict 1500 at least.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: email vs username for login

Post by Weirdan »

Mordred wrote:What happens in the real world is that it's filled with idiots, at least 1% (up to 2% IIRC) of which use their username as a password as well. That's the threat we're trying to mitigate here.
That won't help, they will happily set all 3 fields (username, display name and password) to the same value.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: email vs username for login

Post by social_experiment »

In the claim-prove situation, wouldn't 2 unknows be more effective, assuming that in both instances (email as username & non-email as username) the user has chosen to go with a 40 character password?

If the idea of proving identity in an online situation is to be more difficult, both parts used for login has to be secret, or at least known by as few individuals as possible. Displaying usernames (conciously or involuntary) is definitely a problem that needs to be addressed, if not by current internet applications ,at least by those developers looking to create applications for the future.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: email vs username for login

Post by timWebUK »

Weirdan wrote:
Mordred wrote:What happens in the real world is that it's filled with idiots, at least 1% (up to 2% IIRC) of which use their username as a password as well. That's the threat we're trying to mitigate here.
That won't help, they will happily set all 3 fields (username, display name and password) to the same value.
But seeing as we are discussing this issue from a developer perspective, there is no reason why we cannot enforce 3 unique (to one another) values.
User avatar
Mordred
DevNet Resident
Posts: 1579
Joined: Sun Sep 03, 2006 5:19 am
Location: Sofia, Bulgaria

Re: email vs username for login

Post by Mordred »

Weirdan wrote:That won't help, they will happily set all 3 fields (username, display name and password) to the same value.
Oh, you are right. This invalidates my argument.
timWebUK wrote:But seeing as we are discussing this issue from a developer perspective, there is no reason why we cannot enforce 3 unique (to one another) values.
This was my initial answer as well, but then I realized that we can simply force the same thing on the username and password in the first place.

-----

A side note to the other participants in the discussion:

The only point in splitting the secret in two parts, username and password is to be able to safely check for uniqueness, without revealing the whole secret to the checker. As an additional bonus, people (sometimes) use the unique part as a display name. Other than that there are no "two unknowns" or "two factors" or anything like that. It's one secret, split into two so we can enforce unique-ness in a part of it without revealing it to an outside person (i.e. a new user trying to register to the site ... with a password of "password")
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: email vs username for login

Post by kaisellgren »

I'm leading towards Weirdan. Fundamentally, the username or the email or whatever being used is just there to identify a particular user -- not to authenticate. The password is the one that authenticates the person. I prefer email + password, SSN + password or client certificates in some cases. I never allow the password to be the same as the email though, and I always display a password strength meter which is more or less correct, but at least reminds the user to choose a strong password -- if he cares about his account. I think it just makes the situation more complicated if the user has to choose a lot of different secret values that can none be known by others... and ultimately it goes like this: an email with x-bits of strength and a password with y-bits of strength both secret to others is as strong as public email and a password with x+y -bits of strength.
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: email vs username for login

Post by timWebUK »

kaisellgren wrote:...and ultimately it goes like this: an email with x-bits of strength and a password with y-bits of strength both secret to others is as strong as public email and a password with x+y -bits of strength.
But then you could quite easily say a secret username with x bits of strength and a password y+z. It really is of no difficulty to the user to provide a username, password AND display name - and have the developer enforce each one as unique and there is no denying it does add an extra layer of security, whether a username's main intention is for identification and not authentication.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: email vs username for login

Post by social_experiment »

kaisellgren wrote:and ultimately it goes like this: an email with x-bits of strength and a password with y-bits of strength both secret to others is as strong as public email and a password with x+y -bits of strength
I disagree with this point. If strength is measured by the amount of time & resources is spent trying to crack an account wouldn't it be a logical conclusion to say two unknowns (albeit part of one secret) would require more time & resources to crack?
kaisellgren wrote:Fundamentally, the username or the email or whatever being used is just there to identify a particular user -- not to authenticate.
If this is true, wouldn't it be a fair assumption to say that the username, as it is used in the normal (standard it seems) login setup, could be completely left away? The name used to identify the user (to others on a forum for example) would be entered during the registration process and then has no effect on the security of the account. This would contradict my statement above but if the username is already known (and serves no purpose for authentication) why not leave it out of the process.
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: email vs username for login

Post by Weirdan »

social_experiment wrote: I disagree with this point. If strength is measured by the amount of time & resources is spent trying to crack an account wouldn't it be a logical conclusion to say two unknowns (albeit part of one secret) would require more time & resources to crack?
It doesn't matter how many chunks you split the secret into as long as their total length is the same.
social_experiment wrote: If this is true, wouldn't it be a fair assumption to say that the username, as it is used in the normal (standard it seems) login setup, could be completely left away?
No. In the Chuck Norris scenario (described previously in this thread) if he didn't say he was Chuck the bouncer would have no way to know him from, say, Bruce Lee.
User avatar
timWebUK
Forum Contributor
Posts: 239
Joined: Thu Oct 29, 2009 6:48 am
Location: UK

Re: email vs username for login

Post by timWebUK »

The total length maybe the same whether the username is known or not. But by decreasing the amount of known characters to the attacker, automatically increases the amount of time required to crack.

For example (assuming the two accounts below have the same credentials, the only difference is the username is unknown):

Username: timwebuk
Password: Unknown Length string with a worse case scenario character set: Mixed case alphanumeric + symbols

vs

Display Name: mr_chuck_norris
Username: Unknown Length string with a worse case scenario character set: Mixed case alphanumeric + symbols
Password: Unknown Length string with a worse case scenario character set: Mixed case alphanumeric + symbols

Clearly one will take less time and resource despite having the same length secret. The first attack will need to crack a shorter secret as it already has 'half'.

Also, what you're saying is pretty much the equivalent of someones password being MyP4s5W0Rd123, but we only have the first 5 characters 'MyP4s', will take just as long to crack as if we didn't have any of the characters.
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: email vs username for login

Post by Weirdan »

You've missed the crucial point, reiterated both by Mordred and Kai: unknown username of length x + unknown password of length y is certainly more secure than known username of length x + unknown password of length y. But it's less secure than known username of length y + unknown password of length x+y, for the obvious reason of username required to be unique.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: email vs username for login

Post by kaisellgren »

social_experiment wrote:The name used to identify the user (to others on a forum for example) would be entered during the registration process and then has no effect on the security of the account.
Are you serious? Use a name to identify a person? That partly works offline because human beings use other identification schemes like face recognization and voice recognization in addition to calling others' names. In online, however, using names to identify is futile.
social_experiment wrote:This would contradict my statement above but if the username is already known (and serves no purpose for authentication) why not leave it out of the process.
You need a way to identify the particular user. Identification, authentication and authorization are all different things. Leaving a username / id / email means we can no longer identify the person unless there is something else to it.
User avatar
social_experiment
DevNet Master
Posts: 2793
Joined: Sun Feb 15, 2009 11:08 am
Location: .za

Re: email vs username for login

Post by social_experiment »

Weirdan wrote:No. In the Chuck Norris scenario (described previously in this thread) if he didn't say he was Chuck the bouncer would have no way to know him from, say, Bruce Lee.
Since the name (Chuck Norris) is widely known, what if Bruce Lee did the perfect round-house kick? According to the example, he would then enter because he met the two requirements : a name and a round-house kick.
timWebUK wrote:The total length maybe the same whether the username is known or not. But by decreasing the amount of known characters to the attacker, automatically increases the amount of time required to crack.
Exactly my point ;)
Weirdan wrote:It doesn't matter how many chunks you split the secret into as long as their total length is the same.
I get the point you are making about the length of the password & username combination but i would rather have my account protected by 2 unknown values then having one value (username) be public domain.
kaisellgren wrote:Are you serious? Use a name to identify a person? That partly works offline because human beings use other identification schemes like face recognization and voice recognization in addition to calling others' names. In online, however, using names to identify is futile.
We all identify each other by our 'names' here on the forum? I'm not refering to a name as firstname used in real life instances but to a identifying value that is not your username. So if you registered for a forum you would have username = 'kaisellgren', password = 'whateverthatmaybe' and screenname (or name if you will) = 'kai'. That way when you post, people see that 'Kai' has made the post but they have no idea that your username is 'kaisellgren'.

I might have the incorrect understanding of identification, authorization and authentication so i'll explain what i understand under each of the terms : Identification : Identify user to others via a screen-name, in a setup like a forum, Authentication : Check whether a user is the onwer of the account they are trying to access and Authorization : Grant said user certain privileges after they have been authorized. Correct or not?
“Don’t worry if it doesn’t work right. If everything did, you’d be out of a job.” - Mosher’s Law of Software Engineering
MichaelR
Forum Contributor
Posts: 148
Joined: Sat Jan 03, 2009 3:27 pm

Re: email vs username for login

Post by MichaelR »

A number of times I've gone back to a site I haven't visited in a while and have forgotten what username I used. I don't tend to forget my email address. So I'd go for email address simply because it's one less thing for the user to remember.

It could also allow for multiple usernames, if your site allowed such things. Plus, there's almost no chance of you typing in your email address and finding it's already in use -- and finding the same thing happens a few times -- except if someone else mistyped their address.

As for those saying usernames might be more secure than email addresses: if your password is able to be guessed (or forced) then it's too easy. So change it, and it won't be a problem. And anyway, if it's easy enough for a password to be forced then it'll be easy enough for a username (or email address) to be forced.
Post Reply