I dont think a username is nor shouldbe considered
sensitive information.
It goes against most of the security philosophy
and or methodology in existence. If you hide
the username its considered
"Security through obscurity" because you are
relying on the fact that no one will "discover"
the usernames. You should expect and depend
on the fact that your usernames are exposed
to the outside world. Granted you can go to
measures to protect usernames and give a
little added buffer. If your going to use
passwords that should be where you concentrate
making it secure, not hiding details and such.
A really great book
"Applied Cryptography" by Bruce Schneier
Written by one of the biggest security
advocates out there (also one of the best)
outlines what security via obscurity is and
how it does *NOT* protect you.
And about cracking passwords, if the
encryption is strong enough, cracking a
password will not occur in an hour, if
ever.
I recently installed an OpenBSD system on
a machine of mine at home. Instead of using
DES as the encryption algorithm it uses
Blowfish which has been in use for a while
and available public domain.
Brute forcing the passwords on that system
would not be a trivial task (lets hope
quantum computing does not come along and
make a liar out of me ;)
Most systems give you their username just
by virture of details. A non work email
I have is [EMAIL PROTECTED] It doesnt take
much to figure out jallen is probably my
username.
Usernames on every *nix/login ive used
/ any login ive seen has always been
visible, which means someone peeking over
my shoulder has my username.
In a very controlled environment it may be
possible to hide more details, but given a
determined hacker and someone who knows
a bit more than your average 'cracker' who
isnt going to really be able to figure out
what to do beyond downloading a utility
to Brute Force Decrypt your passwords.
Anyhow, these are more my beliefs just
reenforced by what I have read and experienced:)
So I agree with courtney, however.... YMMV
-----Original Message-----
From: Courtney Payne [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 08, 2000 8:25 AM
To: '[EMAIL PROTECTED]'
Subject: RE: OT: Java Script Question
This is true. However, I wouldn't think usernames would be considered
sensitive info.
Courtney E. Payne, Developer
Fig Leaf Software
"We've got you covered"
[EMAIL PROTECTED]
www.figleaf.com
-----Original Message-----
From: JustinMacCarthy [mailto:[EMAIL PROTECTED]]
Sent: Friday, September 08, 2000 8:09 AM
To: [EMAIL PROTECTED]
Subject: Re: OT: Java Script Question
> your database beforehand and (using WDDX) >make it available to your JS so
> that you can do the check right there on the client, >without having to
hit
the problem with that is anyone can get a list of your usernames .... just
by looking at the source....
~Justin MacCarthy
----------------------------------------------------------------------------
--
Archives: http://www.mail-archive.com/[email protected]/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
----------------------------------------------------------------------------
--
Archives: http://www.mail-archive.com/[email protected]/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or
send a message to [EMAIL PROTECTED] with 'unsubscribe' in
the body.
------------------------------------------------------------------------------
Archives: http://www.mail-archive.com/[email protected]/
To Unsubscribe visit
http://www.houseoffusion.com/index.cfm?sidebar=lists&body=lists/cf_talk or send a
message to [EMAIL PROTECTED] with 'unsubscribe' in the body.
