For the purposes of security, is there any difference in having a 50 character randomly-generated secret username accompanied by a 50 character randomly-generated secret password, versus a 100 character randomly-generated secret username with no password?
Here is Solutions:
We have many solutions to this problem, But we recommend you to use the first solution because it is tested & true solution that will 100% work for you.
The main disadvantage of a single “token” (or “username”) to authenticate is that in order to authenticate the user you have to do one of two things:
- Store the token in the database in a retrievable form such as plain text or encrypted. This means if the DB is compromised the attacker will know everyone’s token.
- Hash the token. But if you do this it’s best to use unique salts per user, but in this case you can’t. You would have to use the same salt for every hash, which opens the door for rainbow table attacks.
I think it depends on how you define “username”.
Usually a username is something that is derived from the name of the user.
So it is guessable.
A username is often displayed in the Application at some kind of user preferences. So the username is visable.
Then a username is sometimes used to reset a password, and thus the username might be sent over the wire – maybe via smtp. So the username can be fetched from the traffic.
Sometimes users need to communicate to each other – so the username becomes a public data.
However, if you think of some kind of authorization token as a username, you could very well take a 100 characters long “string” to authenticate. But do not think of that as a “username”!
You’re combining two concepts, identity and authentication, into a single entity. You are then calling the result “username”. This name incorrectly implies to the reader that it’s only embodying identity, hiding the fact that it should be kept secret to secure the authentication aspect of it. Remember that identity is not normally something people keep a secret.
“Unguessability” is an important attribute of a secret used for authentication. But security doesn’t come only from having an unguessable secret. It also comes from people properly handling that secret. By calling it something it’s not, you risk confusing your users into treating this secret like they would their email address.
This is not a theoretical problem — it’s the foundation of all the problems with credit card theft the world suffers from today. Credit card numbers were always associated with identity, not authentication, but they serve both purposes making them valuable to thieves.
To avoid this problem, I would not call the 100 character string either a “username” or a “password”; instead, calling it a “token” might help people understand how to handle it.
The most important aspect to passwords is secrecy. If a username is completely secret from everyone but the user, then you don’t need a password. If a username is ever shared with anyone else, then you do.
Additionally, having a secret username would be a UX nightmare – people don’t expect usernames to be secret, and won’t treat them as such.
If by “username” you mean an auto-generated long account identifier not visible to other users, and where an email/username is not needed for account recovery, it can make sense. Examples would be Resilio/BitTorrent Sync “indentities” or cryptocurrency private keys. For the purposes of this answer we’ll call this secret the “password,” not the “username.”
In fact if some service allows the public username to be used (along with a password) to authenticate, then it’s essentially already using just the one secret, the password, to authenticate.
If you have just one single password for authentication, what happens if a user attempts to use a password someone is already using? You can’t warn the user that “that password is already taken.” To avoid this scenario, the app itself would have to generate the long and unique password, and in turn this would most likely mandate the use of a password manager.
Another problem is account recovery — you may need the user to associate their email with their account anyway to allow the password to be reset. If this is the case you might as well use both a username and password to log in.
Note: Use and implement solution 1 because this method fully tested our system.
Thank you 🙂