Wedge
Public area => The Pub => Features => Topic started by: Pandos on August 20th, 2011, 09:45 AM
-
Nice will be an option to choose between login with eMail or with username. Login with eMail will make more sense to me because of forum attacks in the past.
What do you think about that?
Sven
-
I actually think this is a great idea. I'd love to see it implented too :)
-
Hmm... Yes, I suppose it makes a lot of sense regarding forum username scrapers...
I think that'd be a definite yes, even if it adds an option to the profile area.
Unless we ask the user at registration time only...?
Like, we ask for an e-mail address, an account name and a display name. Then we ask the user what they want to use to login.... Errr.... Okay that's a bit overkill... :P
Most 'big' websites allow you to login with either email or username, your choice. How does that help them with scraping...? I suppose it doesn't.
-
I think there must be an option in APC that allows the admin to choose it. It should not be up to the users.
-
I think there must be an option in APC that allows the admin to choose it. It should not be up to the users.
-
What about existing users with dummy emails?
-
You know that the system already actually does this internally, right? If you supply an email address it will attempt to use it.
Facebook quite happily accepts both.
I should point out that there is a convenience factor attached here, typing a username is a whole lot shorter than typing an email address in most cases, though most people will just stay logged in 'forever'.
-
Logging in with e-mail addresses may feel slightly more 'natural' to people these days, e.g. your login form has 'e-mail address' and 'password', while you may not be sure whether 'user name' may refer to your actual user name or current display name...
Hmm well, I'm not sure anyone bothered until now, though... If it ain't broke...
It's just something about login scrapers.
-
Yes, I know exactly what it's about, since earlier this year there was an alarming rate of login attempts being made.
What it comes back to is whether people would rather be secure or convenient, and most people would rather be convenient. Sad, but true.while you may not be sure whether 'user name' may refer to your actual user name or current display name...
In fact, in another context it may actually be more secure to leave it as is. Consider the case of key loggers, logging email and password. If you're a good person and use a different password for each service, it doesn't make a lot of difference, but if you're not, you just provided one extra way for them to get your email + password combination.
-
Makes sense. Although the opposite does as well :P
-
When I used a login by email mod a while back it actually cut down on attacks drastically. I for one would like to see this option sometime in the future.
;)
-
The only reason you knew you were being attacked is because of being logged out. In fact, there is a much better defence already in place for the style of attack.
Especially since I consistently see both username and email spam attacks in attempts to brute force access... Meaning that they'll still try it, and it actually is not a defence any longer.
What might be good is to provide a blacklist of the most common passwords and bar them from being used, since of the attack you're referring to (and in fact most brute force attempts), the top 20 or so most commonly used passwords were just cycled through a rotation.
-
Now that is a good idea!
-
Not to forget that it looks more serious and professional by logging in with eMail.
I think this is a must have for Wedge.
Usernames can easily grabbed and hacked due bruteforce from posts. Mailadress is hidden by default. So for me this is one of the most important security standards we can give to our users.
-
Not to forget that it looks more serious and professional by logging in with eMail.
I think this is a must have for Wedge.
Usernames can easily grabbed and hacked due bruteforce from posts.
Mailadress is hidden by default.
So for me this is one of the most important security standards we can give to our users.
Seriously, please take a note of the comments I have already made, specifically the ones where I indicated that the bots are already trying to brute force email addresses, and that not permitting very common, very weak passwords is actually a better method of protecting users than this.
Consider it this way: in any fence of security, the weakest link is where efforts will be concentrated. Usernames are not that weakest link.
Consider this also: you know Facebook, that little site with 750m+ users? That allows login with username. I know, because I happen to use that every damn day. Consider additionally that it's not just a random username then, it's also an *identity* of sorts, with all sorts of personal information far more important than would be found on most forums.
-
Here we go again with clashing ideas :P
-
I have no problem with clashing ideas, but people don't seem to be understanding one detail. If you're going to argue with me, be fucking prepared to back your shit up.
The information I have been presented with, not only through my own investigations but those of external investigations, tells me that this is not actually something that important.
If someone comes and presents an idea, with hyperbole and insufficient weight to back it up (i.e. any actual evidence), I'm not exactly going to be impressed, especially when it seems fairly clear that what I've already said was ignored in favour of pressing the same idea...
Kids: do not try this at home. I'm already pissed off because I seem to have found a really random bug in phpMyAdmin that I've spent 3 fucking hours trying to make sense of, and arguing with me is a really BAD idea.
-
Query, I thought it was a little known feature of smf that you could already login with your email address?
-
Query, I thought it was a little known feature of smf that you could already login with your email address?
-
But some do. I suppose.
-
That's the thing. I've worked professionally in the past with various helpdesk systems, with intranet/extranet tools, financial infrastructure systems as part of my former career in financial services - and of all the web based tools I used, even those where multiple firms had login details to the one system (think credit reporting systems), even those did not have email address, but username, logins.
In fact, of all the services I have used and continue to currently use that have the 'professional' mentality attached, more of the services I use do not use my email address as my primary login, though all of them have my email address, so I'd argue that's probably not a great case to make either in the name of using emails for 'professionalism'.
There IS a case that can be made for using email authentication. It's really not a great case, especially if you change email addresses, make a typo and then you're really locked out of your account. (Yes, you can be locked out of your account otherwise for the same reason, but realistically you have a better chance of getting it fixed if you have a username attached to it that you're normally using.)
I should point out that this debate has already been had, once on sm.org, once here before. The fact remains that people will continue to be insecure in spite of any measures you place making them more secure, and if someone can type in a username instead of an email address, they invariably will, because it's easier.
Case study: I used to work at a corporation that had a 30 day expiration policy on passwords. Each password had to be a minimum of 8 characters, use no dictionary words, must include upper and lower case plus at least 2 characters that were either digits or symbols. Oh, and not reusing any of the last 3 passwords.
This was for financially sensitive systems, whereupon you would regularly have people phoning up IT to change their passwords because they couldn't remember them. Unless they wrote them down on post-it notes on their monitor. This sounds like an urban legend but I saw it happen every single day.
The consequence is that the more you do to make it more secure, the harder it is for users to use: complex passwords that change regularly mean users try to find easier passwords to remember, bearing in mind the potentially short term therein.
The moral of the story is that users will use what is easiest, not what is theoretically best. That's why people still use 'password' as their password, because it's easiest for them to remember.
-
....The fact remains that people will continue to be insecure in spite of any measures you place making them more secure, and if someone can type in a username instead of an email address, they invariably will, because it's easier.
;)
-
Not that many of you would take anything from Microsoft (or there researchers) for a grain of salt. That said this is worth reading and while it is talking about computer and network security web security when you get down to it isn't so different in this prospective.
http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf
To boil it down for the lazy. It basically says what Pete is saying, allot of security is a waste, because it doesn't really protect you. It says way more then that :-P but you get the point.
-
I can actually second what Pete is saying, I currently work in a company with similar security needs, and similar setups (for example the password complexity requirements are even a wee bit higher than in Pete's example) and all I've seen it cause is the post-it's under keyboards, lost passwords, ID10T errors, and so on... Would the basic password requirements be made "reasonable" instead of "high security", the actual security benefit would be greatly higher in my opinion. Easier logins means less post-it cheats etc...