Take for example PayPal... But applies to so many other sites.

The issue: The display name/identity that is shown to the world as part of the web/social site is also what's used to log in.

Sure, it's easier to simply track a single ID and password, but I'd prefer not to be giving out half the required information to log in. Especially for anything financial related, like PayPal, this is really not a wise system. Banks don't use email addresses to log in. They either have a unique (unused elsewhere) ID or they use your bank card #, something that you're not sharing with every Tom Disk and Harry.

For PayPal I'd like to use one ID (which can be an email address, it doesn't matter to me) for login, but have another that is associated with receiving/sending payments only. As it stands, if you add an additional email address to your account, it will be used for everything, just like your primary. DOH!

Another issue, "personal" recovery/validation questions that are not personal to you:

Then you have places that try to be too smart for their own good, such as the recent updates to iTunes asking for additional recovery information. iTunes now forces you to register 3 recovery questions, however for each question they have a pre-determined list of choices. Let's say 5 each, for a total of 15. That's a a decent amount of questions, but still likely that you won't find something in there suitable for you. Even if you find 3, what if all three are in the first group? Well you're screwed, because you'll still have to pick one each from the other groups. I ended up having to pick two questions I'm not likely to easily remember the answers to if I ever need them.

Just write the answers down on a post-it note and stick it to your monitor like everyone else

The reason these folks use email addresses rather than user names is that you're likely to actually remember your email address. Versus the craptastic problem when your preferred username is already taken. "dwallach", nope. "danwallach", nope. "dswallach", nope.

That said, the *real* right answer is for these sites to delegate to a handful of OpenID/OAuth providers to authenticate you. I'd like to have some super-fancy two-factor contraption with Google, and then let everybody else just ask Google to prove that it's really "[email protected]" on the other end of the line.

Yeah, sure, OpenID/OAuth are very much a work in progress, but damn it they're the right idea.

But Dan, using usernames is precisely part of the same problem and something that is in fact already done. Example: Twitter.

Using the public name for login is bad. So if the public login is NOT an email address, then using an email address is perfectly acceptable. If an email address is the public name, then using a different email address as the login name would be acceptable.

The specifics of the issue vary from site to site.

The bottom line for me is that I'd really like to not give away half my login credentials to sites like PayPal and Twitter.

If the security of your account depends on your userid being a secret, your password is too weak.

Of course it doesn't depend on the secrecy of the userID. But having others not know the userID is good peace of mind. It also means that someone doesn't call the service on the phone saying, hey, it's me and identify themselves by my userid.

No one else read Mat Honan's story? http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

I sweat I spend more time correcting auto-correct sometimes than I do my own typos.

True, but he's got a good point. For example, I think that on this very BBS, my displayed name and my user login ID are two different things. I happen to have them set to the same thing because I don't care much, but, it's much more secure to set them to two different things.

I see the point he's making: That the name displayed to the world should be different than the name you use to log in. Because, no matter how secure your password is, one of the authentication factors is your login ID, and obscuring that would add yet another factor to the password security.

And it means that no one is going to sit there brute-forcing a password against your ID.

In the case of PayPal it's also because I absolutely don't want any email coming to the email address I use for my PayPal address except messages from PayPal.

When I go to a bar, etc. etc. the next day I don't have some bimbo calling me at home or showing up at my door.

It's still security through obscurity, fellas. Any entropy you can add to your "secret userid" is entropy you can add to your password. It's not another "factor" in authentication any more than a second or third password field would be.

The Mat Honan thing was more about a flaw in Amazon's security procedures at their call centers, and in Apple allowing people to reset their password with just the last 4 digits of the credit card number.

It's true that if you use the same email address or userid across multiple sites you're screwed if you also use the same password on other sites, so the solution is to stop doing that. Having to remember different userids across dozens and dozens of sites causes more problems than it solves -- better to store all of your secret entropy sauce in a single field and not have to remember which username you used.

My passwords are of decent strength, at least 9 characters (usually 10 to 12), and usually a mix of letters upper and lower, numbers and a symbol or two. Passwords never repeat, not even for email addresses.

Anyway, on sites that support it, I can easily increase password length to 20 or more characters, since I don't memorize them anyway, but that's not why I want non-public info for login.

"Security" through obscurity is very simple but also very effective for the sites I'd like it for. At least for the reasons I'd like it for.

Security through obscurity is effective at one thing: increasing perceived security for people who don't get security.

Maybe we define obscurity differently.

Have a look at this reasonably balanced view: http://security.stackexchange.com/q/2430/485

I simply mean that I'm not looking to obscure my login as a form of strengthening password security. That's why I put "security" in quotes a few messages up.

For sites that have user names it means being able to have a display name of your choice without "larry36362" being your display name.

It means being able to have email addresses used expressly for login purposes without needing to worry about actually receiving email at the same address and mixing with other email that has a specific content/purpose.

It's a convenience/management thing more than it is added security. It's just however that it's tied to the security mechanisms of sites, because it's part of the entry method. I just read that link and it seems that some other people are of a similar frame of mind with regards to management.

Besides, someone should tell Batman that obscurity doesn't add value.

Nobody's saying that you shouldn't take simple steps that can inconvenience an attacker, and the concerns you cite about convenience, not getting unwanted email at the address, etc. are all valid. But you explicitly mentioned "giving out half the info required to log in", which is a security argument, and not a good one. It wouldn't be a bad thing for PayPal to let you decide what email the user sees, but switching to secret userids because they somehow constitute an additional security factor is misguided.