[IxDA Discuss] email address as username
Peter Trudelle
peter at trudelle.com
Fri Oct 27 16:50:42 PDT 2006
I agree that requiring email addresses for userIDs, and especially
overloading their use as the primary means of contact, is a very bad
practice, for the reasons you cite, plus:
1. There is a significant security problem with using the email
address as username and overloaded contact info, in that a user
may gain access to accounts used by the previous holder of that
email address. Most of the email addresses I've had over the
years are no longer under my control; any/all of them could have
been re-used by others. If any of those people went to a site I
used, which required it as both username and contact, they could
trivially claim to have forgotten their password, and the site
would cheerfully email my password to them. Asking canned
questions like where I was born or my mother's maiden name adds no
security, as most such answers are either publicly available or
easily guessed.
2. Sites that require the username to be an email address do make it
easier to crack a user's login credentials, since email addresses
are much more public information, which can easily be harvested.
Allowing arbitrary strings as the username can make it as hard to
crack as the password.
3. Such sites typically do not provide for changing the username when
an email address changes, or migrating the account information, so
that the account must be closed or abandoned and a new one
started. You might as well start a new account with a competitor
who does not seek to save themselves development time/effort at
your expense.
Peter
Robert Barlow-Busch wrote:
> [Please voluntarily trim replies to include only relevant quoted material.]
>
> I believe that sites should not *require* an email address as the
> userID.
More information about the discuss
mailing list