Page 1 of 3

email vs username for login

Posted: Wed Aug 25, 2010 4:55 am
by yacahuma
I have seen many websites moving to email as username. I will think using email is less secured since many people may know your email. So is one less thing to figure out. Anyone knows what is suggested between email vs username? But then again, people forget usernames all the time.

Thank you

Re: email vs username for login

Posted: Thu Aug 26, 2010 9:38 am
by Bind
Actually a better protection against privacy violations (spamming emails) and attempted account hacking/cracking is to use their email as the login id AND have a 'named alias' representing them on any output in the application.

since their email address would not be publicly visible to anyone anywhere on the site, unless it was the actual user logged into their account management page, no one would know it to try and spam them or hack/ crack into their account because they are represented by the 'named alias', which would not allow a login nor lead anyone to their email address.

Re: email vs username for login

Posted: Thu Aug 26, 2010 10:26 am
by yacahuma
my concern was not about spamming, but more as to if using an email to login to an application was less secured that using a username.

In this case, the application does not share information with others(not a forum), so spamming is not an issue.

thank you

Re: email vs username for login

Posted: Fri Aug 27, 2010 12:58 am
by MindOverBody
I think it is more matter of trend than some security. It's on facebook, it's everywhere. Monkey see, monkey do :D
It looks more professional/bussiness... duno... correct me if i'm wrong :D

Re: email vs username for login

Posted: Mon Aug 30, 2010 5:29 am
by social_experiment
My opinion is along the lines of what yacahuma is saying. It's a lot less secure than having an unknown username AND unknown password. The problem deepens when a user chooses to use part of their email address (before the '@') as a password. Now you have the username as well as the password know and that is probably the first or second combination a potential attacker tries when guessing your login details.

I think a big obstacle here is that users don't always use the same workstation to log onto their preferred applications. If they did you might try getting their hostname or ip address and i think even try setting a cookie on successful logout so you can check it again when the user tries to login.

Username and password security / management is as much the user's responsibility as it is the developer's. Even if you develop the most secure login setup it is rendered useless when passwords (and usernames) are easy to guess or written down for others to see.

Re: email vs username for login

Posted: Mon Aug 30, 2010 3:05 pm
by greyhoundcode
It's an interesting problem.

At my current place of work I am forced to choose (by all in house applications, of which there are many) passwords that must contain a minimum and maximum number of characters (bizarrely, quite a low maximum number), and there must be at least 1 uppercase, 1 lowercase, 1 number, 1 symbol. These must be replaced monthly, and it is impossible to revert to a previous password.

The problem (IMHO) being that it forgets the human dimension. Security overkill by the applications mean that to a man we jot down our many passwords on paper somewhere, sometimes more than once.

Any hoo ... enough grumbling and moaning ... personally I like the idea of signing in with email+password, but having a screen-name that is divorced from the email address.

Re: email vs username for login

Posted: Tue Aug 31, 2010 3:09 am
by timWebUK
It makes no difference to security if the email or username isn't displayed anywhere. It comes down to both the login name and password should be kept as secret as one another, i.e, if you login to an application, do not share your login credentials anywhere on that site.

I think it was Chris Shiflett who compared it to a front door lock and a porch lock, you wouldn't just lock one and leave the key to the other anywhere.

Re: email vs username for login

Posted: Tue Aug 31, 2010 12:31 pm
by shawngoldw
timWebUK wrote:It makes no difference to security if the email or username isn't displayed anywhere. It comes down to both the login name and password should be kept as secret as one another, i.e, if you login to an application, do not share your login credentials anywhere on that site.
But if someone were to try to attack you personally, it does not matter if you're email is displayed on the site. They can get it fairly easily.

Re: email vs username for login

Posted: Wed Sep 01, 2010 1:44 am
by social_experiment
shawngoldw wrote:They can get it fairly easily.
A simple email which has been forwarded and CC'ed a few times is a list of potential usernames. Even easier, if your browser remembers what you enter into text inputs any person sitting down using the workstation will already have your username (and email address).

Re: email vs username for login

Posted: Wed Sep 01, 2010 5:43 am
by MindOverBody
Using email instead of username on login and not showing email on website is safer than using just username. But not much safer. Crucial is strong password.

Re: email vs username for login

Posted: Wed Sep 01, 2010 6:25 am
by social_experiment
MindOverBody wrote:Using email instead of username on login and not showing email on website is safer than using just username. But not much safer.
Using an email address as a username is a lot less secure than using a non-email-based username. At best, even if you have chosen a username such as 'myRealName' it is a lot harder to check for (and guess) than an email address.

As per a previous post when you have an unknown password and an unknown username an attacker has 2 unknowns to crack, maybe it won't stop your account from being accessed by a determined cracker but it could see off attempts by the average malicious user / work colleague.

Re: email vs username for login

Posted: Wed Sep 01, 2010 1:07 pm
by yacahuma
Thank you all for your comment.

A hacker could always get a username on a system but will never know the true user.
A hacker with an email and the intention to hack a particular person, will most likely try to hack the email itself(IMHO), but I am no hacker.

So I think username are safer in the end.

For forums and blogs I will use email, just because is easier to remember. For site with financial or personal information I will use username.


Thank you.

Re: email vs username for login

Posted: Wed Sep 01, 2010 2:44 pm
by shawngoldw
yacahuma wrote:For forums and blogs I will use email, just because is easier to remember. For site with financial or personal information I will use username.
I really don't think that using a username over an email should be used for a sense of security. I think it is better to just pick the one more appropriate for the task.

For a forum or blog the person is going to need a username, so you might as well have them login with it. For a site with financial or personal information, I think it should be something more personal. For instance when you go to log onto your bank you use your bank card number. If the site is holding personal information, it is just more natural to log in with personal information, such as email. Whereas in the blog where it is impersonal and people see your username it is more appropriate to use the more impersonal username.

Just my 2 cents :D There are no rules for this stuff.


Shawn

Re: email vs username for login

Posted: Thu Sep 02, 2010 3:25 am
by timWebUK
It's not using one or the another for a sense of security. It is using both.

The ID you login with should not be displayed on the website. For example, signing up to this forum should allow entry for a username, then a display name. Whether the username is an email or just a word doesn't matter - so long as it isn't displayed. That is when security is involved.

Re: email vs username for login

Posted: Thu Sep 02, 2010 5:15 am
by Mordred
I strongly agree with timWebUK here (and I can swear I had already written in this thread ... maybe the submit failed without me noticing it, damn).

In short, my security research shows something the published password security articles seem to miss; this is an old result, from 3-4 years ago, formally unpublished, but I've written about it in an old article here:

It is not wise to display usernames (like phpbb for example does in its "members" page). Note that one can still "fish" for usernames by trying to register them to see if they are taken, but this is not hard to mitigate with captcha and other forms of registration attempt throttling.
Mordred wrote: 5. Usernames are one half of the username/password combo required for login. I haven't yet seen a security system that readily displays a user's password, but many of those I've seen happily show usernames to the public in forum threads, private messages, member profiles, etc. Do you know which is the most popular password? No, not 123456, it comes a distant second. The most popular choice is to have your username as a password. Of course you need to display some id of the user to the other users of the system, so use a separate "Display name" column, and either strongly warn or enforce the user to choose a display name different from his username.
(From here)