why do you need a username and password

Let a server which only requires a password for opening a session; no username. Let's imagine that user 'Alice' has registered, with password 'ILoveBillClinton'. Now, a new user wants to register; let's call him Bob. Out of (bad) luck, Bob elects to use password 'ILoveBillClinton' too. Such collisions happen in practice; indeed, even if users choose passwords with 30 bits of entropy (an already optimistic figure), it suffices to have 30 thousands or so users to have a good chance of triggering such a collision (this is called the
). The server warns Bob about the collision. Bob then immediately learns that there is another user with the same password, and since the server does not require the username, just the password, Bob gains immediate access to Alice's account. The server does not warn Bob about the collision, but just ignores the registration. When Bob actually connects, he has the surprise of being greeted with a banner stating "Hello, Alice! ". Bob has gained immediate access to Alice's account. The server does not warn Bob about the collision, and replaces Alice's registration with Bob's registration. Bob has his own account, alright. But when Alice logs on again, she types her password, and is greeted with "Hello, Bob! ". Alice has gained immediate access to Bob's account. None of these methods is satisfying. The entry of the username would not be necessary if password collisions did not happen (or would happen only with negligible probability).


But as long as passwords are chosen by human minds and stored in human brains, collisions will happen, and a username (or user ID or any similar discriminant value) will be needed. Edit: as @mikeazo alludes to, if the passwords are not chosen by the user, but generated by the registration server, then the server can enforce uniqueness and avoid this problem. However, in practice, human users do not like machine-generated passwords. Also, lack of username prevents user-specific salting, which is a problem for password storage, as long as passwords are of sufficiently low entropy to be exhaustively scanned (see for details on how password should be hashed, including salting). This happens even if the passwords are server-chosen (with enforced uniqueness). Unless you can convince your users to remember long and random passwords which they did not choose. Updated for June 2017 (Originally posted April 2011):How much time do you spend choosing a username when you set up an app, join an online group or order something online? Maybe two seconds? If youвre like most of us, you probably just use an old standby and hop along with your day. Research shows, however, it would be wise to invest a few extra seconds в your username, also called a user ID, can act as a calling card to your real identity. Hereвs why usernames are important and five tips on what to do: Your usernames can be used to build an entire profile about you.


Then this information can be used for all kinds of purposes, from relatively benign ones like marketing campaigns to downright malicious ones like identity theft. One study was able to discover real-life identities 42% of the time by simply cross-referencing usernames. How? Techies are smart! And so are cybercriminals. Without much difficulty they can capture information from groups and websites you belong to, and even access your browser history. Often this data also leads to your social networking sites, which gives them pretty much everything else they need, including clues to your passwords. Social networks are also where a lot of social engineering starts because hacking people is easier for cybercriminals than hacking technology. Whatвs more, the same behavioral targeting and tracking software used by marketers to track which sites you visit and eventually buy from can also be used by cybercriminals. So, before you go around scattering traces of personal data here and there, take a little time to choose an appropriate username for new accounts, and consider logging onto existing accounts to update those usernames, too. Here are five stay-safe username tips: Donвt use the same username and password combination, especially on financial accounts Donвt choose a username that gives clues to your password, like a series of numbers/letters or the first part of a two-part phrase, such as knock-knock or starlight Do choose a username thatвs appropriate for the type of account, i. e. , business, social or personal Better yet, save time and use a username generator like jimpix or spinxo.


Then use a password manager like LastPass or Dashlane to generate strong passwords and store all of your account login info securely in an encrypted web vault. That way you donвt have to remember the username/password for each account and can login automatically в no typing! Leapfrog Services has been advising people and businesses about how to stay safe online and in IT ecosystems for 20 years. Weвve seen astonishing changes over time в the speed with which cybercriminals progress and evolve surpasses most tech usersв ability to keep up. Usernames are important because theyвre a piece of the ever-growing security puzzle. The best way to keep up is to be aware of what makes you and your business vulnerable so you can take steps that, at the very least, make you less vulnerable than your neighbor. While cybercriminals are greedy, they go for low-hanging fruit first! If your organization would like to know more about how todayвs cybersecurity threats could impact your unique company, please feel free to contact us frogs. If you liked this post, donвt forget to to FrogTalk, our monthly newsletter.

  • Views: 9

why does my apple id not work with icloud
why does mac mail keep asking for my yahoo password
why do you need a strong password
why is windows security asking for a username and password
why is my yahoo mail not working on my iphone
why does my iphone email say cannot connect to server
why do websites say my email is invalid