Help with User Login System

[PleaseScreenShare]

-- Simple Question: If I was going to create a login system, I would need to hash the password, but would I need to hash the username aswell?

 

[IceGroose]

Hashing the username would not add an extra layer of security as the attacker knows the username he wants to attack so he can simply hash the username himself to get the same result. Hashing passwords is on the other hand essential.

 

[Zyger]

There's not much point in hashing the username, just bcrypt the password

 

[Zyger]

adding salt and then hashing would make it more secure while its stored in a db cos it harder to identify whos username is whos - it doesnt have to be done, but it can be done and made more secure if you really want it to be.

Yeah but usually you'd want to reference the user in some way on the site, and there would probably be other information associated with the user in the database to identify them anyway, e.g. an email

And if they have different casing in their username when they enter it in, it'll result in a different hash which may confuse some users as they wouldn't be able to log in

 

[Zyger]

Yes but again, in most cases usernames would be required to have exact casing when searched for or fetching associated data. If you are going to the details of hashing a username with salt then normally the email would be hashed as well.

Not really, usually it's fine if the casing isn't the same, and what would be the point in hashing the email? How would the site then be able to access the email to contact the user?