SitePoint Sponsor

User Tag List

Results 1 to 11 of 11
  1. #1
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,764
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)

    Log-in using Email or Username?

    Should users log in to my website using...

    1.) Email
    2.) Username
    3.) Either

    The way I have things currently, a user logs in using Email/Password, but once they are logged in, they are identified by Username. That way, other users would never know your email.

    This seems okay to me, but when I think about it, it seems like most websites I visit use Username/Password to log in?!

    Thoughts?

    Sincerely,


    Debbie

    P.S. To be honest *security* is more of a driver to me than "usability"...

  2. #2
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,606
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    Assuming that you're not using an SSL certificate, for security, I'd say use the username. Either way, without an SSL cert you are effectively broadcasting the username/email/password in the clear, which can potentially be intercepted.

    Also, keep in mind that folks might want to change their email address at some point.
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  3. #3
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,764
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Force Flow View Post
    Assuming that you're not using an SSL certificate, for security, I'd say use the username. Either way, without an SSL cert you are effectively broadcasting the username/email/password in the clear, which can potentially be intercepted.
    Wrong assumption. (Why would anyone do a log in script without using HTTPS?!)


    Also, keep in mind that folks might want to change their email address at some point.
    I have a unique index on "email" - and another one on "username" - but I still allow people to change their e-mail address.


    What I was expecting someone to say is, "It is too much of a hassle to have to type in an entire e-mail address to log in. Using a Username is typically shorter, and thus perceived as easier."

    For now Email/Password - via HTTPS - is how you log in. I just figured I'd ask, because maybe in v3.0 it would be better to use Username/Password, or offer both ways as valid authentication methods?

    Sincerely,


    Debbie

  4. #4
    Barefoot on the Moon! silver trophy Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,606
    Mentioned
    56 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    Wrong assumption. (Why would anyone do a log in script without using HTTPS?!)
    Many sites don't use SSL certs, especially forums and website commenting systems. For example, sitepoint doesn't have SSL enabled on the forums.

    Typically, any sites handling email, personal information, or financial information have SSL certs installed.

    What I was expecting someone to say is, "It is too much of a hassle to have to type in an entire e-mail address to log in. Using a Username is typically shorter, and thus perceived as easier."
    A valid reason. Plus, longer usernames means there's a greater potential for typos, which might lead to lock-outs and password resets.

    For now Email/Password - via HTTPS - is how you log in. I just figured I'd ask, because maybe in v3.0 it would be better to use Username/Password, or offer both ways as valid authentication methods?
    Using both means there are two potential avenues for attack.
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  5. #5
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,764
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Force Flow View Post
    Many sites don't use SSL certs, especially forums and website commenting systems. For example, sitepoint doesn't have SSL enabled on the forums.

    Typically, any sites handling email, personal information, or financial information have SSL certs installed.

    A valid reason. Plus, longer usernames means there's a greater potential for typos, which might lead to lock-outs and password resets.

    Using both means there are two potential avenues for attack.
    Is there any compelling reason to switch from Email to Username for authentication?

    I would argue Email is easier because everyone knows their Email Address - unless you have numerous ones.

    Because the Internet has become so E-mail centric in so many ways, Email just seems like a good unique identifier, plus an easier way for people to log in. (I think maybe 10-15 years ago, using a Username may have been more compelling...)

    At any rate, unless someone can give me a solid reason to NOT use Email, then I think my authentication system is okay as-is.

    Thanks,


    Debbie

  6. #6
    Just Blow It bronze trophy
    DaveMaxwell's Avatar
    Join Date
    Nov 1999
    Location
    Mechanicsburg, PA
    Posts
    7,263
    Mentioned
    115 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    Is there any compelling reason to switch from Email to Username for authentication?

    I would argue Email is easier because everyone knows their Email Address - unless you have numerous ones.

    Because the Internet has become so E-mail centric in so many ways, Email just seems like a good unique identifier, plus an easier way for people to log in. (I think maybe 10-15 years ago, using a Username may have been more compelling...)

    At any rate, unless someone can give me a solid reason to NOT use Email, then I think my authentication system is okay as-is.

    Thanks,


    Debbie
    Emails are becoming more and more common as identifications for logging in. A lot of sites give people the choice to use one or the other. Twitter allows you to choose both, Amazon and Facebook make you use email address, SP uses username (though that's because it's a vB format). So it just becomes a matter of preference.

    I just would argue to ensure that you allow them to create a username, and that is the identifiable point for your site - otherwise you'll have made your site a prime email harvesting point, which will make it very difficult to get users.
    Dave Maxwell - Manage Your Site Team Leader
    My favorite YouTube Video! | Star Wars, Dr Suess Style
    Learn how to be ready for The Forums' Move to Discourse

  7. #7
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,764
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DaveMaxwell View Post
    Emails are becoming more and more common as identifications for logging in. A lot of sites give people the choice to use one or the other. Twitter allows you to choose both, Amazon and Facebook make you use email address, SP uses username (though that's because it's a vB format). So it just becomes a matter of preference.
    Do you agree with ForceFlow that allowing people to log in using either an Email or Username is a security weakness?

    (I think the more choices and flexibility you offer the better - to a point.)


    I just would argue to ensure that you allow them to create a username, and that is the identifiable point for your site - otherwise you'll have made your site a prime email harvesting point, which will make it very difficult to get users.
    As mentioned above, people register and log in with an Email/Password, but when they are logged in, they are identified purely by Username. (So unless my database get's hacked, there is no way to ever know other user's Emails.)

    Sincerely,


    Debbie

  8. #8
    Just Blow It bronze trophy
    DaveMaxwell's Avatar
    Join Date
    Nov 1999
    Location
    Mechanicsburg, PA
    Posts
    7,263
    Mentioned
    115 Post(s)
    Tagged
    1 Thread(s)
    Quote Originally Posted by DoubleDee View Post
    Do you agree with ForceFlow that allowing people to log in using either an Email or Username is a security weakness?

    (I think the more choices and flexibility you offer the better - to a point.)
    Yes, but his point is if you use email, it should be under https, not straight http. The examples I pointed to all fall under those guidelines.

    Otherwise, someone could put a simple packet sniffer and catch unencrypted email addresses.

    So if you want them to enter email address, you should use https (SSL). If you don't want to use ssl, then use a username login system.
    Dave Maxwell - Manage Your Site Team Leader
    My favorite YouTube Video! | Star Wars, Dr Suess Style
    Learn how to be ready for The Forums' Move to Discourse

  9. #9
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,764
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by DaveMaxwell View Post
    Yes, but his point is if you use email, it should be under https, not straight http. The examples I pointed to all fall under those guidelines.

    Otherwise, someone could put a simple packet sniffer and catch unencrypted email addresses.

    So if you want them to enter email address, you should use https (SSL). If you don't want to use ssl, then use a username login system.
    I read what he said a different way. I thought he was saying that if I used Email for the log in and didn't use Username once they are logged in, then hackers could easily gather people's Emails by searching the site.

    I will *always* use HTTPS/SSL for anything dealing with a User's Acount (e.g. Log-In, Profile, Private Messaging, Preferences, etc.)

    But back to the security issue, come to think of it, if you used Username and you identified people by Username - as SP does - then to hack into someone's account, all you need to do is guess the password?! (By using Email to log in, you'd have to already know or correctly guess *both* a valid Email and the corresponding Password, so that makes using Email safer since it is not public knowledge like Username would be...)


    Debbie

  10. #10
    SitePoint Zealot
    Join Date
    Sep 2009
    Posts
    118
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I believe that ForceFlow is quite correct, logically at the very least, that more options for identifiers will increase the probability of one of those valid data being known by people who should not know it.

    My perspective of log-in systems is cautious; perhaps extremely so, but with some justification. I do not like to see any system that accepts a publicly viewable user name (yes, Sitepoint, this includes you) and I am not much more keen on an e-mail address. I use an otherwise undisclosed e-mail address for all sign-up systems, but most people do not.

    Look at the BBC for a slightly better than average example. People can comment below some content, so their user name is visible; but this public nickname can be different from the private ID that one uses to sign in. Unfortunately, it partly undoes this good (for careless users anyway) by also accepting an e-mail address. As I mentioned, most people are not as careful as me, so you can bet that passwords are reused to some extent and e-mail addresses are bandied about freely.

    The best option that you can offer is a private sign-in ID; the next best is an e-mail address, which at least has a chance to be private if people so wish.

  11. #11
    SitePoint Wizard DoubleDee's Avatar
    Join Date
    Aug 2010
    Location
    Arizona
    Posts
    3,764
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Mat30 View Post
    I believe that ForceFlow is quite correct, logically at the very least, that more options for identifiers will increase the probability of one of those valid data being known by people who should not know it.
    Possibly.


    My perspective of log-in systems is cautious; perhaps extremely so, but with some justification. I do not like to see any system that accepts a publicly viewable user name (yes, Sitepoint, this includes you) and I am not much more keen on an e-mail address. I use an otherwise undisclosed e-mail address for all sign-up systems, but most people do not.
    Ditto.


    Look at the BBC for a slightly better than average example. People can comment below some content, so their user name is visible; but this public nickname can be different from the private ID that one uses to sign in. Unfortunately, it partly undoes this good (for careless users anyway) by also accepting an e-mail address. As I mentioned, most people are not as careful as me, so you can bet that passwords are reused to some extent and e-mail addresses are bandied about freely.
    But I feel I am offering the same approach as the BBC...

    You sign up with your Email/Password which are never disclosed. (And I agree with your "Do not use your main e-mail for such trivia.)

    Then you can choose a Username - which really is the same as the BBC's "Nickname". On my site, this, of course doesn't have to be identifiable back to the user, just unique in the system.

    If I ever did allow people to log in via Email or Username, then I would logically have to add a "Nickname" as well, so that - in theory - the Email and Username remain private, or at least in the context of the website.

    For now, I think just sticking to Email/Password is the most practical approach.

    Good comments!!

    Sincerely,


    Debbie


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •