Login with eMail instead of username

Pandos

  • Living on the edge of Wedge
  • Posts: 635
Login with eMail instead of username
« on August 20th, 2011, 09:45 AM »
Nice will be an option to choose between login with eMail or with username. Login with eMail will make more sense to me because of forum attacks in the past.
What do you think about that?

Sven
# dpkg-reconfigure brain
error: brain is not installed or configured

Dr. Deejay

  • Happy new year all!
  • Posts: 118

Nao

  • Dadman with a boy
  • Posts: 16,063
Re: Login with eMail instead of username
« Reply #2, on August 20th, 2011, 10:08 AM »
Hmm... Yes, I suppose it makes a lot of sense regarding forum username scrapers...
I think that'd be a definite yes, even if it adds an option to the profile area.

Unless we ask the user at registration time only...?

Like, we ask for an e-mail address, an account name and a display name. Then we ask the user what they want to use to login.... Errr.... Okay that's a bit overkill... :P

Most 'big' websites allow you to login with either email or username, your choice. How does that help them with scraping...? I suppose it doesn't.

Pandos

  • Living on the edge of Wedge
  • Posts: 635
Re: Login with eMail instead of username
« Reply #3, on August 20th, 2011, 10:11 AM »
I think there must be an option in APC that allows the admin to choose it. It should not be up to the users.

MultiformeIngegno

  • Posts: 1,337
Re: Login with eMail instead of username
« Reply #4, on August 20th, 2011, 10:43 AM »
Quote
I think there must be an option in APC that allows the admin to choose it. It should not be up to the users.
+1 !

Nao

  • Dadman with a boy
  • Posts: 16,063

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: Login with eMail instead of username
« Reply #6, on August 20th, 2011, 11:30 AM »
You know that the system already actually does this internally, right? If you supply an email address it will attempt to use it.

Facebook quite happily accepts both.

I should point out that there is a convenience factor attached here, typing a username is a whole lot shorter than typing an email address in most cases, though most people will just stay logged in 'forever'.
When we unite against a common enemy that attacks our ethos, it nurtures group solidarity. Trolls are sensational, yes, but we keep everyone honest. | Game Memorial

Nao

  • Dadman with a boy
  • Posts: 16,063
Re: Login with eMail instead of username
« Reply #7, on August 20th, 2011, 11:56 AM »
Logging in with e-mail addresses may feel slightly more 'natural' to people these days, e.g. your login form has 'e-mail address' and 'password', while you may not be sure whether 'user name' may refer to your actual user name or current display name...

Hmm well, I'm not sure anyone bothered until now, though... If it ain't broke...

It's just something about login scrapers.

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: Login with eMail instead of username
« Reply #8, on August 20th, 2011, 12:00 PM »
Yes, I know exactly what it's about, since earlier this year there was an alarming rate of login attempts being made.

What it comes back to is whether people would rather be secure or convenient, and most people would rather be convenient. Sad, but true.
Quote
while you may not be sure whether 'user name' may refer to your actual user name or current display name...
It always refers to the username you signed up with. There's a simple, practical and immediate defence right there: have a different display name to username. It is as secure as using an email address in this context.

In fact, in another context it may actually be more secure to leave it as is. Consider the case of key loggers, logging email and password. If you're a good person and use a different password for each service, it doesn't make a lot of difference, but if you're not, you just provided one extra way for them to get your email + password combination.

Nao

  • Dadman with a boy
  • Posts: 16,063

ARG

  • This is my personal text
  • Posts: 37
Re: Login with eMail instead of username
« Reply #10, on August 20th, 2011, 09:42 PM »
When I used a login by email mod a while back it actually cut down on attacks drastically. I for one would like to see this option sometime in the future.

 ;)

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: Login with eMail instead of username
« Reply #11, on August 20th, 2011, 10:27 PM »
The only reason you knew you were being attacked is because of being logged out. In fact, there is a much better defence already in place for the style of attack.

Especially since I consistently see both username and email spam attacks in attempts to brute force access... Meaning that they'll still try it, and it actually is not a defence any longer.

What might be good is to provide a blacklist of the most common passwords and bar them from being used, since of the attack you're referring to (and in fact most brute force attempts), the top 20 or so most commonly used passwords were just cycled through a rotation.

Nao

  • Dadman with a boy
  • Posts: 16,063

Pandos

  • Living on the edge of Wedge
  • Posts: 635
Re: Login with eMail instead of username
« Reply #13, on August 21st, 2011, 01:26 AM »
Not to forget that it looks more serious and professional by logging in with eMail.
I think this is a must have for Wedge.

Usernames can easily grabbed and hacked due bruteforce from posts. Mailadress is hidden by default. So for me this is one of the most important security standards we can give to our users.

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: Login with eMail instead of username
« Reply #14, on August 21st, 2011, 01:41 AM »
Quote
Not to forget that it looks more serious and professional by logging in with eMail.
No, it doesn't, especially since not everyone actually wants a serious and professional environment.
Quote
I think this is a must have for Wedge.
No, it isn't. If it IS implemented, I certainly won't be doing it.
Quote
Usernames can easily grabbed and hacked due bruteforce from posts.
And you think this is a common occurrence? Trust me, it isn't. I run multiple honeypots right now, and while each has been hit with brute force attacks, the vast majority of them are for users that don't even exist.
Quote
Mailadress is hidden by default.
It's better than that, it's not merely "by default". You physically have to give out moderation level permissions for it in order to view them.
Quote
So for me this is one of the most important security standards we can give to our users.
Hardly. I have a very long list of things that ranks higher than this, sorry to say.

Seriously, please take a note of the comments I have already made, specifically the ones where I indicated that the bots are already trying to brute force email addresses, and that not permitting very common, very weak passwords is actually a better method of protecting users than this.

Consider it this way: in any fence of security, the weakest link is where efforts will be concentrated. Usernames are not that weakest link.

Consider this also: you know Facebook, that little site with 750m+ users? That allows login with username. I know, because I happen to use that every damn day. Consider additionally that it's not just a random username then, it's also an *identity* of sorts, with all sorts of personal information far more important than would be found on most forums.