Does username length/complexity/uniqueness positively impact security?

A harder to guess username adds to the security if it's kept secret.

The problems are

  1. Usernames are often not kept especially secret. On most systems allowing multiple users to log in, any user can view the list of valid users. On systems that run mailservers, the mailserver can effectively be used to check if a username might be valid as most mailservers will accept mail for any local user. Various programs may include your username by default in outgoing traffic when they connect to servers. New user signup forms or password recovery forms may allow an attacker to check if a username is taken.

  2. Usernames are often harder to change than passwords.

So when adding additional complexity to your login credentials, it's best to get into the habit of putting that extra complexity in the password rather than the username.


No. A username is not supposed to be kept secret and thusly won't be. A username is a public ID. Relying on it for security is not smart.


It has a little positive impact, but you can not rely on it. And this little impact doesn't worth for having a complex username. Systems are not designed to keep usernames secret, so keeping it secret will be too hard.

It's about obscurity not security.