what’s in a name?

you do this every day many times over: type a username, then a password

but why? it’s all just letters and numbers, right?

it is known that most smart attacks involve some kind of social engineering e.g. the attacker knows the victims name, and tries a list of well known passwords (like 1234, admin, test etc) from a list – sometimes a dictionary helps, too, with the most common names, or combinations of username with birthyear etc (like john1975)
and then it’s up to the password to keep you safe – so you ought to choose one that’s long and has special characters in it (like #<*). if that doesn’t work the attacker digs deeper and calls coworkers, pretending to be a friend, super, lawenforcer or other coworker to obtain more infos.
BUT the name is still fairly simple to guess. so WHY NOT get rid of it?

let’s say your username has 10 letters, and the password is another 10 – that’s 20 letters to type, and in between you gotta use the mouse to move from field to field (or the cursor or tab)
the first 10 though are almost a waste of time, and the next 10 are supposed to be very difficult to guess (if you can’t find the post-it-note next to the screen!) – so sometimes people put a post-it up on their monitor with that info …

what about if you just enter a (complicated) 15 letter ‘access code’ that might have some personal meaning to the user? eg FOOL1975=>JOHN!

hard to guess, in NO dictionary, personalized, shorter than 20, and safer!

almost as safe as certificates – but who remembers a sha1 hash with 40 characters? besides, the # of wrong logins and attempts per timeunit has to be limited anyways