Unruh wrote:
> A user name is "public". You must expect that anyone's username is
> known to any adversary.

One username known != all usernames known. There are many ways to
prevent brute force username attacks, like use 3 initials + random 5
digit number. It is not really hard to remember 5 digits (you know your
initials), I've been able to memorize it after 3 hours in my new job.

> There is no security in usernames. the security comes from the
> passwords. That is where you should be spending your time.
Two factor authentication is always stronger than one factor.
If you make your usernames so simple that basic algorithm could follow
them - you get virtually one factor authentication. If for any reason
password gets published, it is easy, let's say 1000 usernames, brute
force attack, quick job.


>> this volunerability about the same as if we select user name that
>> follow standard user name convention such as jsmith or gwbush or
>> using sequential numbers as username is more volunerable?

I believe the later is true. Take a social networking website as an
example. Assuming you know vulnerability that allows you to access every
single user profile, no matter you're connected or not, if you know user
id in database.

Sequential user ids - you get copy of all profiles, including PII,
*very* quickly.

Unknown pattern - much longer, and you can always send unknown user
request to a very slow redirect. For sequential case, unknown might be
only first and last id.

Sequential id case - real world example, it happened with some
classmates.com clone.


Wieslaw