Ask HN: Security of a username/pw combo vs a username of the same lenth

Those two things are not the same thing at all. For example, let's say I want to create new account in your application and you ask me to enter u/p. I enter the string that is already used by another user, so I should choose another one. Except, now I can login with another's person u/p combo.<p>I don't see any reason why you should do a single string login.

secure against what attack? in general, a single (longer) username is less secure:<p>it's less secure against someone looking over your shoulder and seeing your username displayed on the screen.<p>it's less secure than someone watching you log in and reading the username displayed as plaintext in the login interface.<p>it's less secure if the username is stored unencrypted (if the password is encrypted) and someone gains access to the database.<p>however, it is <i>more</i> secure if all information is encrypted (and someone gains access to the database).<p>the last point may be unintuitive, since the "amount of information" is the same, but k^n + k^m &#60; k^(n+m) (for reasonable values of k, n and m).<p>(if k is the number of bits per character, and n is the number of characters in a words, then k^n is proportional to the cost of guessing - it's easier to guess two halves of something than to guess the whole) (think of hangman - the game would be no fun at all if you had to guess whole words; being able to guess letters - word fragments - makes it much easier)

I don't see why you'd want to do this. You want to keep the username in plain text for many reasons, and hash the password for security reasons. If you put them together you either keep it in plain text and lose security, or hash it properly and lose the ability to display usernames in your site.

accei guess the biggest problem is that a long pass phrase would tend to logical phrases like 'willyoumarrymeedward' where as user name and passwords rarely form a logical phrase. So guessing at valid passphrases would be easier to do