I'm still pondering uid/username/profile
The key is the combination of username and password. 5 char + 10 char is 15. Increasing strength with longer usernames makes some sense. The other part being that needs the correct combined somethingyouknow + somethingyouknow to authenticate. This got me thinking that for a user, the email name, the name of the home directory and the name used at login prompt should never be the same.
If someone is limited to attacking user accounts or the exploit requires a valid user for the vulnerability that list has to first be created. If the username is kept as a secret but seporate part of the key, getting email names or home/docsettings directory lists won't help. Make all human readable references to the user different from the username used at login prompts. The name list becomes as unpleasent to generate as the passlist of relevant terms. Exploits that require a username don't work.
The weakness is that there are already ways to get a user list once into the first account. Readable passwd, samba/smb and various local utilities make it a crunchy shell with a squishy middle. This only helps as long as all accounts remain unbroken.
Applicability depends on the location I guess. With forums, a secret username means your alias and email can become public without adding to an attack list. The public information, credentials and PIM remain unrelated objects. With base systems, any other local system login negates the benefits.
Just throwing it out there.. thoughts?
