Browsing through Coding Horror, I saw this article on removing the user field from a login dialog.
It’s an interesting concept albeit an old one from 2005. Nevertheless, I started thinking about it and wondered:
How would you be able to do this in a secure fashion?
If you identify the user by their password that means all passwords must be unique – yes?
If all passwords must be unique, what do you do when someone enters a password that’s already in use?
You can’t tell them it’s already in use because that would give away someone else’s login.
I can’t think of a way one could implement this in a secure fashion…any ideas?
You do not identify users by password, you identify them by user name. You authenticate users by password. Just think a bit what does it mean to identify by password. I join the system, he asks me to enter my new password. I say ‘foo’, he says ‘foo is already in use’. I say ‘tyvm”, and open the login window. When prompted I simply enter ‘foo’ and he says ‘Welcome Mr. President’…
No, there absolutely cannot be a requirement to have passwords unique, that would be a huge security hole in any system because it relies on information disclosure to function: by reveling a duplicate you disclose somebody’s password. Even with name/password combinations, once you disclosed that ‘password is in use’ all I have to do is iterate through the list of accounts trying the password you just revealed to me, and one combination will succeed.