[ggruschow]

Alternative: There's no reason for my username to be public on the vast majority of sites/apps/crap that I use, so I'd rather just have a username, no password.

The secret username can be associated with a display name, real name, physical/email addresses, etc. You can use the latter to look up the former along with a password/probing question/ping (email, text, phone) to retrieve the former.

It seems to make more sense to me logically anyway: I'm not anonymously entering a secret club with a password. I'm identifying myself, and based on my identity I'm allowed to do something.

[Alexx]

The main problem with this is that it would greatly increase the effectiveness of brute-force attacks.

The secret username would have to be forced to be a long string without dictionary words, numbers, capitalization etc, which somewhat undoes any potential advantage. Even then it's not very secure in comparison.

Even if a potential intruder does know a username, there is only one possible pass key, but by removing that link you're free to guess the pass key of any user in the system.

[ggruschow]

You could just make min(len(secret_username)) = 1 + min(len(username)) + min(len(password))... if that's what you wanted.

Not all systems need to have the same level of security though, nor do they all need to assume their users are ignorant.

[ggruschow]

I wasn't arguing it was more secure. It could be made equivalent, but that misses the point. You don't always need a deadbolt in addition to a lock in the door knob.

[fexl]

That's exactly why https://loom.cc/ uses only a passphrase, with no user name. Users are not identifying themselves, they are identifying a wallet.