-2
Since common responses from Username and/or Password failure at logging is ALWAYS returned "Your Username OR Password are incorrect" due to increased security then why would systems not store the combination username AND password hashed. Nothing urks me more than not knowing which email I am using and having to try others especially when there can be MAXIMUM limits on password lengths ect.
Glabella Streamline
Posted 2018-08-18T01:25:59.873
Reputation: 1
1
For the same reason we don't keep our actual names secret: they are used to identify us, and are shareable by design.
The intention is to reduce the information a potential attacker may have by not sharing whether they are operating on an existing username. That said, systems which utilise "username or password is incorrect" style messages are typically still just as vulnerable as systems without them. Sign-up forms (and sometimes password reset forms) will tell you whether an account exists or not, so it is trivial to identify whether a username exists. As such, this approach can be more frustrating to legitimate users than it is impeding to attackers.
Also, imagine trying to find a friend on a platform if their plaintext username isn't stored: you would have to get the username correct character-for-character. Such a system would be horribly impractical. Having a secret username would be similar to having a second password, and there are much better ways of securing accounts than that.
VortixDev
Posted 2018-08-18T01:25:59.873
Reputation: 1 106