Comment by aetherson - Hacker Neue

aetherson Oct 16, 2025 parent

Because credential stuffing relies on the user reusing a username + password from another site. If you provide the user with a username they don't select, it won't be reused.

gregoriol Oct 16, 2025

But then they have to remember the username AND the password? This doesn't help with users already having the password re-use problem. This would only work for those with a password manager, but then they are also less likely to re-use a password.

Also, wouldn't this prevent lost password recovery? if you can't identify a user by their email?

jbstack Oct 16, 2025

> But then they have to remember the username AND the password?

The commenter already acknowledged that the solution has drawbacks. The only claim made was that it solves credential stuffing, not that it doesn't inconvenience the user.

> This would only work for those with a password manager

It would also work for those without a password manager, because they'd have no choice.

> Also, wouldn't this prevent lost password recovery? if you can't identify a user by their email?

They're not mutually exclusive. You can have both. A compulsory unique user ID to login, and an email based password recovery mechanism.

anonymousiam Oct 17, 2025

I haven't used it for 45 years, but my CompuServe user ID was [72175,1425]. I like that they assigned it themselves with no input from me. (I'm cursed with a good memory for useless things.)

https://en.wikipedia.org/wiki/CompuServe

aetherson OP Oct 16, 2025

Yes, there are clear ergonomic reasons why we don't do this "assign a username" thing. But it would stop password stuffing.

You'd presumably do username recovery the same way you do password recovery, so it would only be accessible to an attacker who compromised the user's email.

This item has no comments currently.