[Alexx]

The main problem with this is that it would greatly increase the effectiveness of brute-force attacks.

The secret username would have to be forced to be a long string without dictionary words, numbers, capitalization etc, which somewhat undoes any potential advantage. Even then it's not very secure in comparison.

Even if a potential intruder does know a username, there is only one possible pass key, but by removing that link you're free to guess the pass key of any user in the system.

[ggruschow]

You could just make min(len(secret_username)) = 1 + min(len(username)) + min(len(password))... if that's what you wanted.

Not all systems need to have the same level of security though, nor do they all need to assume their users are ignorant.

[ggruschow]

I wasn't arguing it was more secure. It could be made equivalent, but that misses the point. You don't always need a deadbolt in addition to a lock in the door knob.