View Single Post

Warwench's Avatar

04.02.2013 , 10:14 AM | #4
Quote: Originally Posted by Eillack View Post
Happy that I've had a security key, but I still find it silly that now everyone knows half of your login info.
Probably because you don't understand all the other systems, controls etc involved, or don't understand that assuming login name is "private" is poor security in itself.

Kerckhoffs's principle applies beyond codes and ciphers to security systems in general: every secret creates a potential failure point. Secrecy, in other words, is a prime cause of brittleness—and therefore something likely to make a system prone to catastrophic collapse. Conversely, openness provides ductility.
So relying on "secret" usernames is a bad idea, assuming the username is not known by an attacker is a bad idea, there are MANY other controls in place that do not assume that your username is secret, an attacker knowing it, or not knowing it doesn't matter.'s_principle <-- read it.