http://blogs.technet.com/jesper_johansson/archive/2005/10/12/412384.aspxA friend just pointed me to an interesting blog post . The premise is that logon dialogs should not be asking for a username. Mostly the blog post points to why the username provides no value, not really expanding the argument that it is superfluous.en-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.technet.com/jesper_johansson/archive/2005/10/12/412384.aspx#412461Thu, 13 Oct 2005 21:51:16 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:412461Steve RileyMore evidence that people are making recommendations without a basic understanding of computer science. You cannot have authentication without identity, and yet this is precisely what the article is suggesting. The removal of user IDs means the removal of identity. This requires that the password, which normally acts only as the secret authenticator, now acquire double-duty and become the identity as well. And what happens when you force this unnatural requirement? Well, you get exactly what Jesper describes: an instant attack. If the system refuses your use of a certain password, you *know* that said password is already in use! Now you know the &quot;identity&quot; of the human and can impersonate him/her. <br> <br>Computer science principles can't be changed, much like the laws of physics can't be changed. You must never confuse the functions of identity, authentication, and authorization, and you must avoid products that attempt to do so.http://blogs.technet.com/jesper_johansson/archive/2005/10/12/412384.aspx#412667Tue, 18 Oct 2005 18:14:16 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:412667Darren GaileIn response to Jespers comment that &quot;we could get rid of silly requirements like removing the last logged on username from the logon dialog&quot;, I must tell you this. <br>I recently have enabled this functionality, not from a security point of view for which most would use it, but for another less 'interesting' reason - to reduce the number of people who believe it or not, don't know their own user id. Basically because they never had to type it in, even though it was displayed on their screen every morning, and even though it was part of their email address, they didn't know/remember it. Also, I must disagree with the statement that it doesn't provide any security. While it is most likely in the public domain since its part of your email address for a start, it does play a part in protecting systems from certain attack methods. Instead of simply guessing 'any' password and gaining access, an attacker must also guess a user name that is associated with it. Now I agree that it may be perfectly possible for such an attacker to get a complete list of user ids for a particular system one way or another, it could also be quite difficult for others. But it does add another barrier and as such another layer of security. And as we all know, &quot;Every little helps&quot; <br>http://blogs.technet.com/jesper_johansson/archive/2005/10/12/412384.aspx#412681Wed, 19 Oct 2005 01:40:10 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:412681ShanAnd what happens when a user calls the helpdesk to have them help with/change something; If they can barely remember the user name displayed on their screen every morning (settings permitting of course!), how do they identify themselves to the poor sysadmin who has to go find their profile when they really don't have a user name?