I’m currently working on basic user authentication for an app I’m putting together, and I don’t have much experience with security.
This said, I understand the practice (and necessity) of salting/storing a (salted) password hash in a database as a blob, as opposed to the password (encrypted or no). I’ve already implemented this.
Is there anything to be gained by salting/hashing a user name and storing the hash in the database, as opposed to the username in plain-text (or encrypted)? It strikes me this would make it quite a bit harder to determine which users may access the system using the database for authentication.
Since it’s vital to make it difficult for someone to crack the password for a user account, wouldn’t it also make sense to increase the difficulty for determining which users are viable?
Edit: it’s possible some of the language I’m using isn’t 100% correct: feel free to correct 🙂
Edit2: I changed one of my first points to indicate salting hashes — thanks everyone for pointing out that I missed this 🙂
Edit3: Removed wording indicating I am encrypting/decrypting a password. I’m using salted hashes and am storing that in the DB — thanks Scotty for pointing this out.
Short answer: most likely no.
Long answer: Your situation seems to lack the key ‘my usernames are sensitive because of …’ which raises the question: ‘Why? What is the specific, demonstrable problem that protecting usernames would solve?’
Without that problem, what you are describing is a common pitfall in security-related development (and really development as a whole): coming up with some idea to secure or obfuscate some part of the system, and then searching for a reason to use it. As with anything in software development, you should avoid doing anything other than exactly what is needed until a clear problem presents itself that can only be solved by using a specific tool.
Extra hint (for free!): salt your password hashes. Plain-old hashes are far less secure.