Login with eMail instead of username

live627

  • Should five per cent appear too small / Be thankful I don't take it all / 'Cause I'm the taxman, yeah I'm the taxman
  • Posts: 1,670
A confident man keeps quiet.whereas a frightened man keeps talking, hiding his fear.

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: Login with eMail instead of username
« Reply #16, on August 21st, 2011, 02:46 AM »
I have no problem with clashing ideas, but people don't seem to be understanding one detail. If you're going to argue with me, be fucking prepared to back your shit up.

The information I have been presented with, not only through my own investigations but those of external investigations, tells me that this is not actually something that important.

If someone comes and presents an idea, with hyperbole and insufficient weight to back it up (i.e. any actual evidence), I'm not exactly going to be impressed, especially when it seems fairly clear that what I've already said was ignored in favour of pressing the same idea...

Kids: do not try this at home. I'm already pissed off because I seem to have found a really random bug in phpMyAdmin that I've spent 3 fucking hours trying to make sense of, and arguing with me is a really BAD idea.
When we unite against a common enemy that attacks our ethos, it nurtures group solidarity. Trolls are sensational, yes, but we keep everyone honest. | Game Memorial

karlbenson

  • Posts: 44
Re: Login with eMail instead of username
« Reply #17, on August 21st, 2011, 10:40 PM »
Query, I thought it was a little known feature of smf that you could already login with your email address?
We come in peace, shoot to kill, shoot to kill, shoot to kill; we come in peace, shoot to kill; Scotty, beam me up

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: Login with eMail instead of username
« Reply #18, on August 21st, 2011, 11:26 PM »
Quote from karlbenson on August 21st, 2011, 10:40 PM
Query, I thought it was a little known feature of smf that you could already login with your email address?
Correct, as already mentioned. The request was to make it compulsory to use email address, as that's somehow more secure (which all evidence I've seen suggests that it isn't) and more professional (not all sites want to be professional)

Nao

  • Dadman with a boy
  • Posts: 16,079

Arantor

  • As powerful as possible, as complex as necessary.
  • Posts: 14,278
Re: Login with eMail instead of username
« Reply #20, on August 22nd, 2011, 01:30 AM »
That's the thing. I've worked professionally in the past with various helpdesk systems, with intranet/extranet tools, financial infrastructure systems as part of my former career in financial services - and of all the web based tools I used, even those where multiple firms had login details to the one system (think credit reporting systems), even those did not have email address, but username, logins.

In fact, of all the services I have used and continue to currently use that have the 'professional' mentality attached, more of the services I use do not use my email address as my primary login, though all of them have my email address, so I'd argue that's probably not a great case to make either in the name of using emails for 'professionalism'.

There IS a case that can be made for using email authentication. It's really not a great case, especially if you change email addresses, make a typo and then you're really locked out of your account. (Yes, you can be locked out of your account otherwise for the same reason, but realistically you have a better chance of getting it fixed if you have a username attached to it that you're normally using.)

I should point out that this debate has already been had, once on sm.org, once here before. The fact remains that people will continue to be insecure in spite of any measures you place making them more secure, and if someone can type in a username instead of an email address, they invariably will, because it's easier.

Case study: I used to work at a corporation that had a 30 day expiration policy on passwords. Each password had to be a minimum of 8 characters, use no dictionary words, must include upper and lower case plus at least 2 characters that were either digits or symbols. Oh, and not reusing any of the last 3 passwords.

This was for financially sensitive systems, whereupon you would regularly have people phoning up IT to change their passwords because they couldn't remember them. Unless they wrote them down on post-it notes on their monitor. This sounds like an urban legend but I saw it happen every single day.

The consequence is that the more you do to make it more secure, the harder it is for users to use: complex passwords that change regularly mean users try to find easier passwords to remember, bearing in mind the potentially short term therein.

The moral of the story is that users will use what is easiest, not what is theoretically best. That's why people still use 'password' as their password, because it's easiest for them to remember.

ARG

  • This is my personal text
  • Posts: 37
Re: Login with eMail instead of username
« Reply #21, on August 22nd, 2011, 04:45 AM »
Quote from Ara Potter on August 22nd, 2011, 01:30 AM
....The fact remains that people will continue to be insecure in spite of any measures you place making them more secure, and if someone can type in a username instead of an email address, they invariably will, because it's easier.
Indeed. Just about every security measure that is currently possible has already been used and most still chose the easiest way. I guess it really doesn't matter what you try, your best bet is to simply make it a habit to change your password on a regular basis

 ;)

godboko71

  • Fence accomplished!
  • Hello
  • Posts: 361
Re: Login with eMail instead of username
« Reply #22, on August 22nd, 2011, 07:45 AM »
Not that many of you would take anything from Microsoft (or there researchers) for a grain of salt. That said this is worth reading and while it is talking about computer and network security web security when you get down to it isn't so different in this prospective.

http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf

To boil it down for the lazy. It basically says what Pete is saying, allot of security is a waste, because it doesn't really protect you. It says way more then that :-P but you get the point.
Thank you,
Boko

Lex

  • Posts: 31
Re: Login with eMail instead of username
« Reply #23, on August 22nd, 2011, 08:00 AM »
I can actually second what Pete is saying, I currently work in a company with similar security needs, and similar setups (for example the password complexity requirements are even a wee bit higher than in Pete's example) and all I've seen it cause is the post-it's under keyboards, lost passwords, ID10T errors, and so on... Would the basic password requirements be made "reasonable" instead of "high security", the actual security benefit would be greatly higher in my opinion. Easier logins means less post-it cheats etc...