Fog Creek Software
Discussion Board




Why username and password?

After implementing dozens of login scripts, it suddenly struck me that I have no idea why there is both a username and a password. Why not just a password? After logging in, the user is identified by a user id, not the username, so that can't be the reason.

Is the username/password just a hangover from old systems that had a legitimate reason for both?

Anyone know?

RB
Thursday, November 13, 2003

What would happen if 2 users had the same password?

Matthew Lock
Thursday, November 13, 2003

Same thing that happens if 2 users have the same username/password combination .... oh, I get it.

D'Oh!

Thanks.

RB
Thursday, November 13, 2003

The other reason is all those common passwords, like 'password', 'fred', 'letmein', 'guess', etc, etc.

A hacker could just log on and try all of those common passwords and see which ones get lucky.

Ged Byrne
Thursday, November 13, 2003

Because if you have only a password, there's no possible way to recover your account if you forget your password.

Mr Jack
Thursday, November 13, 2003

And because it means you can have an easily identifiable userId, that can be public, without people being able to log in as you.

Mr Jack
Thursday, November 13, 2003

Exactly.

If you get "That username is taken" when you try to create an account, you haven't just discovered someone's complete login.

www.MarkTAW.com
Thursday, November 13, 2003

I think it's a great idea! Log in straight away with 'zbcvbvcbvcz' instead of 'jake132/zbcxzvcbbcz'.

User id's are in many cases public, so if the password is 'password' a hacker's job would just be as easy anyway.

And to recover the password, just feed in the e-mail, it's required for most registrations anyway.

Alex
Thursday, November 13, 2003

I often thought of the eMail field on this forum as a sort of password. If someone else posted as www.MarkTAW.com I could dispute it by asking the folks at fog to check that person's given eMail address against mine.

Though the few of you who have emailed me and have received a response know it, so they'd have to go then to IP address if they log it, and then anyone with my ISP in my area would be in the same range...

In any case, we need a few things.

1. A unique string to log in with (i.e. username).

2. A way to prevent someone who happens to discover that unique string, as in my example above "That username is already taken" from gaining access to the account.

The solution? The Password. It de-couples the Unique String from the identification process.

It's kind of like Credit Cards. I can generate a valid Credit Card number, but without the name and expiration date it's useless. I can also know the name of someone with a credit card, but without the Credit Card number, the name is useless.

In this case, the Credit Card number is the unique string - no two alike, if you stumble on a valid one, it's still useless, and the Name / Expiration date are the password - doesn't have to be unique, just has to be tied to the CC number.

www.MarkTAW.com
Thursday, November 13, 2003

Alex, a lot of sites use email/password instead of username/password.

Philo

Philo
Thursday, November 13, 2003

The IBM System/38 only used passwords, and yes, people would often use other peoples user id by guessing words.

Bill
Thursday, November 13, 2003

I belong to a business organization that uses only a password to gain member access to their website. The password seems to be a random hash assigned by the admin. If you forget the password you use a link in which you enter your organization's email address, and it must match the email address on file in order to initiate a send of the password back to your email account.

The advantages I can see are a somewhat easier implementation on the server end (lookup one string versus two when someone logs in) and the opportunity to enforce "strong" passwords. The only disadvantage I can see is the lack of user customization to a preferred password.

Bored Bystander
Thursday, November 13, 2003

This reminds me of when CDNOW didn't require a unique user name.  I think they used "<first-name> <last-name>".  It was trivial to hack into a user account using something like "John Smith" with the password "cdnow". 

If you can enforce strong unique passwords of sufficient length, password only might work, though it's not very user friendly to require someone to type in a 60 character (or whatever) string of random characters.  Doing this with a password determined by the user would be insanity. 

SomeBody
Thursday, November 13, 2003

having 2 variables also multiples the search space of the 2 variable thanks to the existing of the first variable. This depends on you having enough population in the first variable to increase the space significantly.

Li-fan Chen
Thursday, November 13, 2003

So should we have 3 variables?

son of parnas
Thursday, November 13, 2003

Name:
Quest:
Airspeed of Fully Laden Swallow:

Philo
Thursday, November 13, 2003

Is that an African Swallow or a European Swallow?

www.MarkTAW.com
Thursday, November 13, 2003

Long random passwords, assigned by the system admin is great.. If you only ever need to log in to one system. 

In the Real World, people log into up to dozens of different systems a day.. good luck remember completely unique random passwords for each one.

Mister Fancypants
Thursday, November 13, 2003

*  Recent Topics

*  Fog Creek Home