Having a username in a cookie

I've got a website and want to have the username in a cookie. I know that DIGG does this, and doesn't even encrypt the username, is this bad?

Is it acceptable to have a username stored in a cookie that's unencrypted?

Thanks.

 

If they do store your password, that's probably something to wary of. it is hard to consider privacy nowadays.

 

I would think that storing a username in a cookie would be fine -- if you really wanted to be secure, have a hash of the username stored in the cookie, and in the user table on the server. On loading the login form, the server can check the cookie, query with the hash contained for the username, and auto-populate the form username field.

Cheers.

 

to hack/crack a site or part/script thereof, a hacker needs 2 things:

1. username
2. password

a hacker easily can listen to exchange of unencrypted traffic.

if you offer user name in clear language = u do half of hacker's job

may be as a xmas gift to all hackers you love to publish also on a separate page also the matching passwords to save him his second half of the guessing work - even better may be you just surrender all your site, bank account, wife, and property to him ??

with other words
after far more than 200'000 password cracking attempts on my site this year - i definitely and absolutely am strictly against any cookie that serves any other purpose but o be a real simple cookie for most basic parts of surfing and NOTHING at all relevant to privacy, names, usernames, etc !!

there most likely are thousand times more sites already abused and cracked than ppl love to belief or dream of.
any facilitating of hacker access is to some degree also facilitating or invitation of illegal activities, which sooner or later also may become your nightmares and legal responsibilities.

 

If you're concerned about hackers sniffer usernames and possible passwords, buy an SSL certificate and install it on your domain. That would make it /much/ more difficult for them.

 

if that is what you want - there is no need to BUY a SSL certificate - just make your own with a qualified tool unless you need the reputation of a CA. the security is exactly the same! a self made serverkey / certificate is 100.00% same security than a purchased one. purchased certs are only a matter of "reputation" by a commonly known CA.

that slows down communication, is impossible for the regular vhosts in most cases and still leaves the vulnerability of SW to be solved. the weakness in most cases always is the SW running on a site.

 

Most users will leave your site, since a 'scary error' popped up.

But yes, you're correct -- the majority of the vulnerablilites on a website is bad coding, or stupid design.