The main reason I have always included usernames and passwords in my research is because it allows me to analyze frequency data across multiple sites. Although I could have anonymized the usernames, I thought it would be best to keep them in. There is good value there. For example, there is quite a bit of overlap between usernames and passwords. Also, how many users include all or part of their usernames in their passwords. Plus, what usernames might hackers be most likely to try out?
The main goal here is to put the data out there and let other researchers find the value in it.
You could use it to create a password strength meter for your website, and enforce a certain strength.
Let's say it is common to include a subset of the username in passwords. Doing so would decrease the password strength and be disallowed.
Also, you could look at certain usernames and compute likelihood of certain dictionary words, and disallow them. For example, a user named Bob might be unlikely to use spanish words in a password, but a user named Jose might be more likely.
Being aware of methods/info used by crackers when designing secure systems will lead to stronger systems.
> More energy needs to be spent on preventing breaches
Hard to argue against that.
> not silly password requirements
You don't think that password requirements help prevent breaches?
Try this: hook up a server to the internet that's open to ssh. If you look at the ssh login attempt logs, you'll notice that you constantly have people banging against it, trying to log in as root. Yes, password requirements are a small part of overall security, but they are very helpful.
The main goal here is to put the data out there and let other researchers find the value in it.