Why do we authenticate by prompting a user to enter both username and password? Does prompting the password only suffice?

I think the issue is in requiring passwords to be unique. If I entered my desired password, and you told me I can't use it, it's already in use, then I know that I can log in to a random persons account with the password that I would have wanted.

So, you need a username, which is unique, and can be known to everyone. Then you have a personal password, which is not necessarily unique, making even harder to guess.

While you are at it, hash and salt that password.


There are already good answers here, but the simple, basic concept is still missing:

Identification and Authentication are not the same thing.

Simply put, these are two separate requirements, and should not be mixed up.
A username provides for identification, and a password allows you to verify that claimed identity (i.e. authentication).

See also Difference between authentication and identification [Crypto and Security perspective]


Both the user and the administrator benefit from a username, typically unique, that is not a secret, which they can freely use to refer to the account. If the username is not unique, it can be associated with an email address or other unique contact id. This way a user can reset their password and get a new one, or change their password without changing their account.

Besides that, as noted by others, requiring just a unique password is also problematic when it is the only identifier and there is a collision.