Jump to content

Usernames: why?


XTF

Recommended Posts

Why does IPB still use usernames? As username seems to be used just for logins, wouldn't it be easier to use email addresses for that?

You can set your community to use email addresses if you prefer. You can also set a user name to be different from a display name, which in turn can give extra security if a would-be attacker doesn't know the username for an account and doesn't have the option of using the email address (for whatever reason).

Link to comment
Share on other sites

Why does IPB still use usernames? As username seems to be used just for logins, wouldn't it be easier to use email addresses for that?

I am sure like many other sites, IPB will soon switch to email only. It seems to be the common way of doing things now.

By using email only, it also encourages members to keep their email address up to date.

Link to comment
Share on other sites

I would also guess it makes brute force attacking of account slightly more difficult to, as well as the password to figure out if they are not aware of the email used to login that's something else they'd have to find out as the display / username would not be relevant in this case.

Link to comment
Share on other sites

The security argument is non-sense, isn't it? You might just as well add the 'secret' username to your password instead.

You're looking at it from the wrong perspective. Let's say my login details are pass / word. Someone wants to hack my account. They see my display name is 'Wolfie' and so try every combination up to 10 letters long for the user ID of 'Wolfie'. Access denied because they're not even using the right user ID and as a result, will always be denied access to my account. Your argument, my user ID is 'Wolfie' and my password is 'password'. It's only 8 characters long. They try every combination up to 10 letters long and... oops, they got into my account.

What good is security if you do half the work for them? If they don't know the user ID, then they can't hack the password to it because it will always fail. Simple as that.



User name is for log ins and ways to tell a person from another. I mean I don't want to call you XTF@domain.com but XTF.

He's talking about user names not display names. Two different creatures. :)

Link to comment
Share on other sites

User name is for log ins and ways to tell a person from another. I mean I don't want to call you XTF@domain.com but XTF.

I'd not like emails to be used instead of display / user names, apart from any spam concern it does not seem very 'friendly' either. OK for corporate sites and collaboration software I'd say but probably not for a forum community generally...

Link to comment
Share on other sites

You're looking at it from the wrong perspective. Let's say my login details are pass / word. Someone wants to hack my account. They see my display name is 'Wolfie' and so try every combination up to 10 letters long for the user ID of 'Wolfie'. Access denied because they're not even using the right user ID and as a result, will always be denied access to my account. Your argument, my user ID is 'Wolfie' and my password is 'password'. It's only 8 characters long. They try every combination up to 10 letters long and... oops, they got into my account.

What good is security if you do half the work for them? If they don't know the user ID, then they can't hack the password to it because it will always fail. Simple as that.

Security depends on total entropy, not on the number of fields.

They could as well be trying every combination of user/pass with total size <= 10 and they'd be finding your pass / word account too, wouldn't they? The effort would be equal.

Link to comment
Share on other sites

I'd not like emails to be used instead of display / user names, apart from any spam concern it does not seem very 'friendly' either. OK for corporate sites and collaboration software I'd say but probably not for a forum community generally...

Can't see that happening - although wouldn't mind usernames going for login and just having the display name for displaying against entries.

Link to comment
Share on other sites

Security depends on total entropy, not on the number of fields.

They could as well be trying every combination of user/pass with total size <= 10 and they'd be finding your pass / word account too, wouldn't they? The effort would be equal.

That would require a great deal more time to accomplish and ignores a little bit of common sense. Which account are you going to try to hack, the one where you don't know either the ID or the password, or the one where you have at least one or the other? Some hackers may enjoy a challenge, but when you get down to it, if someone wants to hack into an account for the purpose of gaining access vs the thrill of accomplishment, they're going to go for the easy kill. Why spend years trying to hack into account 'A', if you could easily hack into account 'B' in just a few hours?

So using user ID's to increase security is a very legitimate point. If it wasn't valid, then why have account ID's at all? Why not just one long password, where the first part is the account ID and the rest is the password? Certainly that would increase the complexity of the password a great deal. Why not? Because among other reasons, two unknown variables is harder than one known and one unknown. If you don't believe me, then answer this math problem: x + y = 100. What is x and what is y? You know that they have to total 100, but without knowing one, you don't know the other. While it's not impossible to solve, it's not as easy as knowing x or y.

Link to comment
Share on other sites

That would require a great deal more time to accomplish and ignores a little bit of common sense.

How much more time and why?

So using user ID's to increase security is a very legitimate point.

Got a reference for that? Display name defaults to user name, so user name can NOT be considered a secret.

If it wasn't valid, then why have account ID's at all?

Are you asking me to prove you're wrong instead of you proving you're right?

Why not just one long password, where the first part is the account ID and the rest is the password?

That'd make account recovery a bit hard. But in some systems a single password (without username) is indeed used, think WPA for example.
Link to comment
Share on other sites

How much more time and why?

Think mathematics and exponential numbers. Which can you do faster, count from 100 to 999, or count from 1,000,000,000 to 9,999,999,999?

Got a reference for that? Display name defaults to user name, so user name can NOT be considered a secret.

Previous versions of IPB3 would let you choose a user ID in addition to a display name. So there are many accounts that have one name for signing in and another for display, and there's no easy way, under normal circumstances, of knowing what the user name is because of it. Prove me wrong on that.

Are you asking me to proof you're wrong instead of proving yourself you're right?

When I'm saying the planet isn't flat and you're telling me I'm wrong, then yes, I want you to prove that I'm wrong. Prove to me that you can access someones account by randomly or even systematically guessing their user ID and password, without any assistance. By that I mean, no one can give you hints or tell you what either is. You have to do it on your own. You don't know if their user ID is four characters long or 12 characters long. That's just the user ID, not the password.

For a 10 character password, consisting of only letters of the same case (all upper or all lower), there are over 141,167,095,700,000 possible passwords. Being able to do 1 billion per second, it would take you over 1 day and 15 hours to try all of them. Imagine taking that amount of time on just 50 possible user names. Assuming at least one of them is right, it would take you up to 81.69 days to hack the account. Those are facts, not random numbers. My point about unknown user ID's adding to security is more than proven. If you still think I'm wrong, then show me proof.

That'd make account recovery a bit hard. But in some systems a single password (without username) is indeed used, think WPA for example.

How would it make recovery a bit hard? Account recovery and signing in are two different issues. You're assuming that one prevents the other when really it doesn't.

Link to comment
Share on other sites

Display name defaults to user name, so user name can NOT be considered a secret.

Yes, it can, if you allow them to be different.

Having a log in name separate from the display name is definitely better, security wise, I'm not sure what the miscommunication is in trying to convince you of this.

If you wanted to brute force your way into my account and all you could see was my display name, you have almost no chance of getting logged in as me if I use a different login name. In order to login, you have to know my login name, and that is not exposed. It could be the same as my display name, but it doesn't have to be. The fact that you can make it be something else entirely means that in order for you to get into my account you have to try every possible login name and every possible password, exponentially increasing the amount of attempts you need to make to get in. Yes, separate login names are a bonus for security.

Link to comment
Share on other sites

Think mathematics and exponential numbers. Which can you do faster, count from 100 to 999, or count from 1,000,000,000 to 9,999,999,999?

That's a vague answer, can't you come up with the exact math for both cases?

Previous versions of IPB3 would let you choose a user ID in addition to a display name. So there are many accounts that have one name for signing in and another for display, and there's no easy way, under normal circumstances, of knowing what the user name is because of it. Prove me wrong on that.

Is this about best-case or worst-case? Yes, best-case the user name is unknown and totally different. Worst-case, especially with recent versions, both are equal.

When I'm saying the planet isn't flat and you're telling me I'm wrong, then yes, I want you to prove that I'm wrong.

This is about security. If you can't prove a security scheme it's unlikely to be secure.

Prove to me that you can access someones account by randomly or even systematically guessing their user ID and password, without any assistance. By that I mean, no one can give you hints or tell you what either is. You have to do it on your own. You don't know if their user ID is four characters long or 12 characters long. That's just the user ID, not the password.

For a 10 character password, consisting of only letters of the same case (all upper or all lower), there are over 141,167,095,700,000 possible passwords. Being able to do 1 billion per second, it would take you over 1 day and 15 hours to try all of them. Imagine taking that amount of time on just 50 possible user names. Assuming at least one of them is right, it would take you up to 81.69 days to hack the account. Those are facts, not random numbers. My point about unknown user ID's adding to security is more than proven. If you still think I'm wrong, then show me proof.

Weren't we talking about the user / pass account? You keep changing stories...
Yes, a password of size 10 with 26 different chars has 26^10 possibilities. What's your point? You've still not shown that using two fields is better than using one combined field.

How would it make recovery a bit hard? Account recovery and signing in are two different issues. You're assuming that one prevents the other when really it doesn't.

True, my bad. If passwords were guaranteed to be strong and unique using just the password would be fine. Unfortunately that can't be guaranteed.
Link to comment
Share on other sites

Are the two of you really arguing that it's harder to crack "XTF|password" vs "XTF", "password"? Total length is the same and that's basically all that counts.

It's not all that counts. Dealing with one unknown is easier than dealing with two unknowns. I already demonstrated it and you have yet to disprove it. Combining the two into one while having a user ID known is easier than them being separate because there's no telling on two sides, not just one. Otherwise, as I pointed out before, why not just have the account ID and the password combined into one field? Heck, being required to type in the user ID and the password correctly in one field, with everything being *'d out would be much more secure, don't ya think? I mean, based on your argument that is.

Link to comment
Share on other sites

That's a vague answer, can't you come up with the exact math for both cases?

You missed the point of my question. I was asking you something directly and I sincerely hope that it wasn't that difficult to understand.

Is this about best-case or worst-case? Yes, best-case the user name is unknown and totally different. Worst-case, especially with recent versions, both are equal.

No, both are more likely to be equal if the account was made after the change was put into affect on that site. But again, the user ID can still be changed.

This is about security. If you can't prove a security scheme it's unlikely to be secure.

That argument is flawed inside and out. If I present you with a challenge, telling you that something cannot be hacked and you tell me to prove it, then if I'm right, I could never prove it because it would take forever to successfully prove me wrong, yet since that would never happen, I would never be proven right. So no, I gave you mathematical calculations and time references (and this is assuming you could attack an account at a rate of 1 billion per second, which is in YOUR favor) and it shows that I'm right. If you want to tell me I'm wrong, then demonstrate the flaw in what I've said, instead of saying "user ID is useless, increasing the size of the password is better." Prove that the user ID can't provide an additional layer of security or admit you are mistaken. Heck, go ask security experts, then try to argue with them when they don't tell you what you want to hear.

Weren't we talking about the user / pass account? You keep changing stories...
Yes, a password of size 10 with 26 different chars has 26^10 possibilities. What's your point? You've still not shown that using two fields is better than using one combined field.

I didn't change the story at all. I think you're confusing yourself. You're saying that an unknown user ID doesn't improve security at all when in fact it does. I provided you with an example of that and, with all due respect, it must have gone way over your head.

True, my bad. If passwords were guaranteed to be strong and unique using just the password would be fine. Unfortunately that can't be guaranteed.

You're flopping around on a similar discussion but still not the same one.

Here is a summary of what you've said, in my words...

1. User ID's are useless and don't/can't improve security at all.

2. Merge user ID with password to make password longer because that is better than two fields.

3. If you merge user ID with the password then account recovery isn't possible.

4. I have no idea what I'm saying but I'm going to keep insisting that you're wrong.

Link to comment
Share on other sites

Blah blah blah

Blah

Blah blah

If you want to tell me I'm wrong, then demonstrate the flaw in what I've said, instead of saying "user ID is useless, increasing the size of the password is better." Prove that the user ID can't provide an additional layer of security or admit you are mistaken.

Number of possible username (length: U) / password (length: P) combinations over an alphabet of size X: X^(U+P)
Number of possible passwords (length: U+P) over the same alphabet: X^(U+P)
...
In general the lengths aren't known, but this generalizes to unknown lengths.
Link to comment
Share on other sites

Number of possible username (length: U) / password (length: P) combinations over an alphabet of size X: X^(U+P)
Number of possible passwords (length: U+P) over the same alphabet: X^(U+P)
...
In general the lengths aren't known, but this generalizes to unknown lengths.

You really don't grasp the concept do you?

Let's try this. Let's say that the combination of the user ID and the password spells out gooberville. Which part is the user ID and which part is the password? Let's set up a few boundaries. Each must have at least 3 characters, so at minimum, user ID would be 'goo' and at minimum password would be 'lle'. You get one guess, where did I split it? Think on it for a minute...

goo berville

goob erville

goobe rville

goober ville

gooberv ille

goobervi lle

That's six possibilities using the same 'password'. So yeah, I guess you're right, an unknown user ID must be less secure since a hacker would magically know where to split everything when trying to guess two unknowns versus one.. And that's on the assumption that the user ID and the password spell out a word/phrase or somehow belong together other than by choice.

Link to comment
Share on other sites

Bickering aside, I think it would make sense to use the users email to login and then have a totally different Display Name.

In this day and age, a username is just one more thing to remember/forget.

Which is what, I am guessing will happen.

The current 'username' - will simply be the 'display name'.

Link to comment
Share on other sites

That's six possibilities using the same 'password'. So yeah, I guess you're right, an unknown user ID must be less secure since a hacker would magically know where to split everything when trying to guess two unknowns versus one.. And that's on the assumption that the user ID and the password spell out a word/phrase or somehow belong together other than by choice.

Ah, that's your problem. Use a separator when merging your username and password. Now the combination spells out goo|berville, goob|erville or whatever and we're back to the same strength as two separate fields.
Link to comment
Share on other sites

Ah, that's your problem. Use a separator when merging your username and password. Now the combination spells out goo|berville, goob|erville or whatever and we're back to the same strength as two separate fields.

No, it's not my problem, it's a winning point. Your problem is that you're adding in something that wasn't originally there. Where is the | coming from and why? You're adding in variables that didn't exist.

You still have yet to actually demonstrate that I am mistaken. You are dishing out mere words, which is easy to do. Put your words into action. If you say you something is useless, then prove it instead of just claiming it. If I have a brick wall built up and you say it's useless and anyone can walk right through it, then go ahead, try to walk through it. It's not on me to prove it's secure, it's on you to prove that it's not. Why should I do your work for you when I know the end result? If I'm going to waste my time to fail at something, it will be at playing the lottery, not in trying to prove you right when you're not.

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...