Ask HN: Security of a username/pw combo vs a username of the same lenth
Which is more secure?
For example if my dual string login is username "joebob" and my password is "helloworld", is this more secure than a single string login where my input is simply "joebobhelloworld"?
6 comments
[ 5.7 ms ] story [ 15.3 ms ] threadit's less secure against someone looking over your shoulder and seeing your username displayed on the screen.
it's less secure than someone watching you log in and reading the username displayed as plaintext in the login interface.
it's less secure if the username is stored unencrypted (if the password is encrypted) and someone gains access to the database.
however, it is more secure if all information is encrypted (and someone gains access to the database).
the last point may be unintuitive, since the "amount of information" is the same, but k^n + k^m < k^(n+m) (for reasonable values of k, n and m).
(if k is the number of bits per character, and n is the number of characters in a words, then k^n is proportional to the cost of guessing - it's easier to guess two halves of something than to guess the whole) (think of hangman - the game would be no fun at all if you had to guess whole words; being able to guess letters - word fragments - makes it much easier)
I don't see any reason why you should do a single string login.