A friend of mine has a system that will require them to generage a large number of username and passwords for their users and they want to use usernames that make sense to the users.  That is a common request, but he is concerned that a saavy user could deduce the username of others based on theirs.  This is a real possibility (or likelihood) if you use any of the standard methods such as employee number (just guess sequential numbers) or combinations of first and last name.

My response is as follows:

It is as always a tradeoff…

If you use a determinable username then the password must be that much more secure.  Ultimately we accept that user names are often guessable (in most systems), but just because that is a normally accepted risk it does not follow that it is OK.  Password guessing is a numbers game.  If we go to the simplest case of a single character password using a standard character set (alpha upper case + alpha lower case + digits = 26 + 26 + 10 = 62 possible characters) then there are only 62 guesses needed to get in once the username is known.  As we add more characters to the minimum password length then we approach numbers where brute force attacks will take a long time provided the password is not in a dictionary (my dictionary for such attacks has over 5 million words and well worn passwords).  At 6 characters you are at 56,800,235,584 (over 56 billion) possible combinations assuming the simple character set I mention above.  On average an attacker trying every single possible combination will stumble on the correct one before they finish every combination.  Keeping that fact out of the discussion we have to decide if we think a user can hit the site 56 billion times in a reasonable span of time to guess the password.  Drive minimum password length to 8 characters and we are at a healthy 218,340,105,584,896 (over 218 trillion) which is where I like to be.

This is very secure given one critical assumption.  It is assumed that the overhead of making a web request to test a guess adds enough overhead that you can’t hope to achieve millions of guesses per second or even per minute.  If this assumption falls then my conclusion below for a web based system is out the window.  Windows hashes of 8 characters fall very quickly even with larger character sets because I can crack them locally leveraging the full power of my processor and not bound by network latency (which is huge in comparison to local throughput).

Bottom line is that if you are comfortable with 8 character passwords that are complex enough (not findable in any competent hacking dictionary) then you can publish the user names on your home page and it won’t matter (but I wouldn’t because I am paranoid).

One final analogy to wrap up:  If you had a combination lock with the typical 4 numbers on tumblers (locker lock or suitcase lock).  There are 10,000 combinations from 0000 to 9999.  If someone could deftly try one per second then in under 3 hours it would be open without exception.  But if they could only try once per hour (due to surveillance or some other factor then it would take well over a year.  Complexity is comprised of number of characters times character set available.  Vulnerability is measured in potential passwords divided by the speed at which they can be tried.  I prefer adding techniques that detect and deter brute force attacks, but that is a topic for another day.