0

For a reason I can't fathom, people seem to subscribe to the opinion that a secret username isn't more secure than a public one. I find this opinion completely ludicrous and would like to know why this dogma has continued for so long.

If an authentication system depends on a secret password to authenticate, wouldn't logic dictate that a secret username would be twice as secure?

My opinion is that, if a username is treated by both the user and authentication system as a password then, by definition, it IS a password; the first in a series of two.

What caused this confusion and frustration is a question I posted elsewhere. I asked if it were possible to separate an email user's address from the username during authentication. The logic being that if a hacker needed to brute the username along with the password for a targeted attack, it could take twice the effort to succeed.

What logic could you possibly provide to prove that a username is not a password if it is treated as such (aka a secret)?

This question concerns only this specific attack vector and not any other related ones like social engineering, system vulnerabilities, etc.

UPDATE: This question is not a duplicate of another question because it asks a completely different question: "would like to know why this dogma has continued for so long" in the first paragraph. The other questions are only included to provide support for the main one and to offer the Answer-er a vehicle for supporting their answer.

UPDATE: I get it - with an authentication system that does not intend to keep a username secret (ie reveals if a username is valid or not) is not more secure than a password of double length). My question targets an authentication system that DOES treat a username as a 1st password (ie does not reveal the validity of a username).

  • This is not a duplicate because it asks a completely different question. –  Apr 07 '19 at 21:55

1 Answers1

1

If both the username and password are intended to be kept secret by the user and endpoint, there is no need to separate the two. There would be no difference compared to just logging in with an access key (no username, just a long password).

The reason we think a "secret username" does not add to security is because it is an oxymoron. A username, by definition, is a non-secret piece of information not intended to be kept secret.

Again, if the username was intended to be secret as well, then it would be no different than being a 2nd password, and having 2 passwords is no different than having 1 password if both are meant to be secret.

2 passwords is not more protective than just 1. Either you will be keeping both passwords secret via the same means (ie. the same password manager) or you will be splitting up your methods for keeping them secret (ie. password manager AND sticky note), in which case, you can achieve the same security by splitting up your single password into two parts and storing them as separate pieces.

d1str0
  • 2,348
  • 14
  • 24
  • I agree but that's not the question I asked.. I asked why this dogma of "a secret username is not more secure than a public one" has continued for so long. I already know that a secret username IS more secure and that's not up for debate. –  Apr 07 '19 at 21:54
  • Please delete your answer so that I may delete my question. –  Apr 07 '19 at 22:21