Are usernames superfluous?

  • Article

A friend just pointed me to an interesting blog post. The premise is that logon dialogs should not be asking for a username. Mostly the blog post points to why the username provides no value, not really expanding the argument that it is superfluous. Nevertheless, you have to love an article that recommends the use of pass phrases (in spite of the fact that they don't link to any of my articles on the topic)! The basic idea here is that passwords should be unique, and therefore the password is enough to identify you to the system.

I really like the fact that people are doing some creative thinking about authentication. We are taking far too much of what is being said about authentication at face value without nearly enough questioning and creative thought about what really works in the real world. Nevertheless, I do not think this idea will fly.

The first reason removing usernames is not going to work is simply because the authors fail to make a compelling case for why to remove them. They argue fairly succesfully that they provide no value. But, simply not providing value does not support the argument for removing them. For a proper dialectic argument, you need to argue FOR your position, not simply why something else is not worthwhile. There is statement as to a benefit to be had by removing usernames from the logon dialog. One of the arguments is that the username provides no security. That is correct, it does not. If people realized that maybe we could get rid of silly requirements like removing the last logged on username from the logon dialog. Is that enough to remove usernames from the logon process entirely though? I do not think so.

Further, the author argues that no two users should use the same password? Why not? What is wrong with this? In fact, there is a real serious reason why you should allow this, and that is the second reason this idea will not work. Think about it this way: let's say your logon dialog has only a password field in it. Now you go change your password and the system responds with "sorry, that password is already in use." OK, fair enough. Log off, type the password you tried to set, and you are now logged on as whichever user used that password. Instant attack, and the system even told you how to do it! Is it likely that users will use the same password as someone else? Yes, it is. I once cracked 23,311 passwords from a single system to learn more about them, how long it takes to crack them and what they were like (the results are presented in Protect Your Windows Network). In that set, I found that there were only 22,706 unique passwords. The remaining 2.6% were duplicates of some other password. In all, 3.9% of passwords were not unique. 8 passwords occurred more than 10 times, and one occurred 61 times! The risk of collisions is actually quite high. The chance of picking the same password as someone else is about one in 40. If you do a system-wide password reset, for instance, and have 1,000 users change their passwords all at the same time, it is a virtual certainty that at least one person would pick a password that is already in use. You only need 88 users to have a chance less than 10% that all the passwords would be unique. This alone should be enough to dismiss the entire argument.

Like I said, the fact that people think creatively about passwords and authentication is encouraging, and we need to keep doing so as an industry because the solutions we have today leave some things to be desired. People are very bad at passwords, although I do hope they can get better. Smart cards are expensive and do not work everywhere. Biometrics have their own set of problems with expensive hardware and lack of replaceability of the tokens. We need creative solutions that are simple to implement and use and do not cost a mint. Keep up the thinking!