from Hacker News

Ask HN: Why are usernames not secured like passwords?

by buzzlightyear on 11/8/14, 11:48 AM with 5 comments

So we often hear about data breaches, but why are we not encrypting usernames and emails addresses alongside passwords? Is this just because it will require too much computing power and slow down login processes? I just think that a secure login, means a secure username along with a secure password??

  • by ljoshua on 11/8/14, 11:55 AM

    In a secure environment, your password will be hashed (not encrypted), meaning there's only one way that the information can flow--toward the hash. This is secure because it allows for matching against the hash without actually knowing the original password.

    However, usernames have to be displayed, shared, searched, etc. It could in theory be possible to encrypt this, but with the requirement that it be two way (so as to allow display), it is more trouble than it is worth, with minimal security gained. Most security researchers would probably also point out that if you are able to get to a point where you are dumping a database of user credentials and emails, you are probably also going to be able to retrieve the encryption key, rendering all of that encryption moot.

  • by lmm on 11/8/14, 11:58 AM

    If you don't need an insecure thing, why bother with a username at all? Just have a secure password with appropriate requirements.

    I've done similar things and it makes life hard. People need a way to refer to specific accounts, to talk about them, to troubleshoot. And for most sites your username is a public identifier, a way for other people to talk about you.

    But look at the way AWS credentials work. They're generated for you by the system, and no-one refers to someone else's login. But they still, very deliberately, split your AWS key into a public part and a secret part. Because it's very useful to have a public identity for a credential.

  • by topherTopher on 11/8/14, 1:50 PM

    Often the usernames and email addresses ARE secured, in that all the data at rest is encrypted. But passwords are additionally hashed so that even people with access to the data don't know what your password is.

  • by iSloth on 11/8/14, 4:50 PM

    Usernames are an identity or alias that is typically public and matching over a number of services; to increase security you should look at two factor authentication, and not crudely obscuring the username.

  • by chrisxcross on 11/8/14, 3:30 PM

    Wirting an email to b63954c01ec5069d16b5bfc0cd7c2684317c195c63470ddc8826928beb21909b will get hard...