Is just a long password more secure than a user/password combination?

Question

Basically, my question is already in the title.

The idea is:

Option 1:
Password: XXXXXXXX (8-character)

Option 2:
Username: XXXX (4-character)
Password: XXXX (4-character)

Should be equally secure, right?

Answer 1

From a purely theoretical point of view, I would say yes. At first. The number of combinations should equal, if I am not mistaken.

But there are other things to consider.

Firstly, as Alex Shesterov mentioned, you would not have the possibility to change a password for a given user.

Secondly, if two persons use the same password, which is maybe hash-generated, you cannot distinguish these users.

Therefore it is hard to decide if someone is trying to get access by guessing (brute-force) or if multiple users are using the same password. If you have a user/password combination you can count the number of accesses for each user seperately.

Another point is implementation. If you only have the password for identification, you would have to crawl all of you password database for each access, which takes linear time ( O(n) ), which means that a growing user-base would increase the time and effort, which is necessary for each single access.

Lastly, for an attacker it would be only necessary to find just one valid password, instead of a valid user/password combination. Since you cannot distinguish different users, if they may use the same password, this possibly means that an attecker can gain access to the complete system, as all users are equal. Therefore you would need additional means to safely distinguish users wihtin your system.

In the end, I would stick to the user/password combination and change the needed complexity for the password and its length.

edit: removed the link to the birthday problem, since it is not applicable, as discussed in the comments.