Usernames: why?

[marklcfc]

I think you should be able to use both, not one or the other. I'm sure some members who forget their username just give up, especially if they don't use their old email anymore its a member left. But if email logins were allowed alongside usernames, then it's not all lost and it could be a member saved.

[Wolfie]

I think you should be able to use both, not one or the other. I'm sure some members who forget their username just give up, especially if they don't use their old email anymore its a member left. But if email logins were allowed alongside usernames, then it's not all lost and it could be a member saved.

That's already an option within the software. The original question was why are usernames still used, as though usernames have no use whatsoever when quite the opposite is true.

[marklcfc]

That's already an option within the software. The original question was why are usernames still used, as though usernames have no use whatsoever when quite the opposite is true.

Where is that option?

Found it

[XTF]

No, it's not my problem, it's a winning point. Your problem is that you're adding in something that wasn't originally there. Where is the | coming from and why? You're adding in variables that didn't exist.

It's not a variable, it's a separator. It's still one field, isn't it? You claimed two fields were more secure than one (combined) field. Why would a separator not be allowed in such a combined field?

[Wolfie]

It's not a variable, it's a separator. It's still one field, isn't it? You claimed two fields were more secure than one (combined) field. Why would a separator not be allowed in such a combined field?

You're altering the contents by adding it. A 'variable' isn't always a reference to storing values. Where did it come from? When combing the two fields, nothing additional should be added. You're trying to change stuff around while arguing a point that you already lost and you can't seem to see it.

[XTF]

You're altering the contents by adding it. A 'variable' isn't always a reference to storing values. Where did it come from? When combing the two fields, nothing additional should be added.

Where did that 'rule' come from? Wasn't part of your original claim.
Anyway, you seem more interested in 'winning' a childish fight than in a constructive discussion. Peace out.

[Wolfie]

Where did that 'rule' come from? Wasn't part of your original claim.
Anyway, you seem more interested in 'winning' a childish fight than in a constructive discussion. Peace out.

I've been providing information, references, facts and such to help you grasp the concept that you are so determined to miss. You keep trying to change things around, avoid obviously accurate details and attempt to twist things in a different direction when it doesn't go your way. I'm not interested in 'winning', my interest is in helping you see what having a user ID can indeed improve security to an account. By the way, 'winning' would imply that I could be mistaken, and I assure you, I'm not mistaken, not about this. I know that may sound arrogant and whatever else, but it's the truth. If you still think that you're right, then go find a site that deals in computer security and talk to them about it. If you give them the correct details of this discussion, then they will tell you the same thing I'm telling you... a user ID can indeed provide more security for an account, when that user ID is not known to someone attempting to hack that account.

[Quillz]

I am sure like many other sites, IPB will soon switch to email only. It seems to be the common way of doing things now.

By using email only, it also encourages members to keep their email address up to date.

I don't want IPB to switch to e-mail only. You can already use an e-mail address to log in if you prefer, that's how it should remain: an option.

[XTF]

I don't want IPB to switch to e-mail only. You can already use an e-mail address to log in if you prefer, that's how it should remain: an option.

Why?

[Rhett]

As mentioned, it's an option, select what works for you and you have it your way! :smile:

[Quillz]

Why?

Because I don't want to be forced one way or another into using just usernames or e-mails. There are some message boards that I prefer to use an e-mail address on, others that I use a username for. I like having the choice.

[Wolfie]

Because I don't want to be forced one way or another into using just usernames or e-mails. There are some message boards that I prefer to use an e-mail address on, others that I use a username for. I like having the choice.

The choice and the option for additional security. :)

[skizzerz]

I'll address security at the end of this post because I feel the back-and-forth I've skimmed through so far is either missing the point or is making some false assumptions (again, just skimmed through it, so don't ask me for validity of those two claims because I can't provide any).

For me, I absolutely hate typing my email address if I can avoid it, because it involves extra unnecessary typing. Because of this, the ability to log in via username is far more convenient. Additionally, I may decide for some reason to change email addresses in the future but I am confident that I will not give up my current username, which I use everywhere I go when it is still open. However, there may be valid reasons for forcing email address logins only as well as valid reasons for forcing username logins only. I'd say the responsibility is on the board's administrator to choose what option makes the most sense for whatever community they are running:
1. I would choose usernames only if I was not requiring users to enter an email address as part of the registration process (don't think this situation is possible in IPB, but other software packages like MediaWiki do not require any email address at all -- try signing up on Wikipedia for example and notice how the field is optional). This option gives users the privacy of keeping their email address away from the board's administrators, and I as a user would prefer this option on any site where I'm forced to register to do X but otherwise have no interest in the community.
2. I would choose email addresses only if I was running an environment where there is some additional stigma tied to that email address -- for example company employees or some external account information. As a user, whenever I type in my email address to log into something I feel more personally attached to it (however that may manifest) than if I can type some other more anonymous identifier for myself, and as such only would log into sites requiring me to type my email if I was personally invested in the community or if I had some form of business relationship (partner, customer, employee, whatever) with the site I was logging into.
3. I would give the user the option of choice in every other situation (e.g. log in with either username or email address) as other people think differently than I do and I don't want to restrict them into a certain mindset due to their preconceptions of a particular login method. Just because I associate email address logins with "this is serious business" doesn't mean that everyone else does; their preconceptions may be entirely antithesis to mine.

Regarding account security, obviously if the person knows your username/email they have a much better chance of breaking into your account than if they did not (the attack surface is reduced to password instead of username+password). However, there are many ways to mitigate this, many of which IPB already implements:
1. Allow for entering a different display name upon signup. That way your actual username/email is never displayed publicly at all.
2. Ensure that every public facing thing uses the display name instead of username, this includes profile URLs.
3. Have a brute force detection mechanism on login, so any would-be attacker would have a much harder time of breaking into an account. Brute-force detection would ideally be both username-based as well as IP-based, so a botnet cannot simultaneously break into one account while a single computer cannot attempt to break into multiple different accounts.
4. Have your error message be as generic as possible. Regardless of whether the username actually exists, display "Username or Password invalid". That way the attackers cannot determine what is and what is not a valid username just by looking at error messages.
5. The onus is still on the user to use a strong password that is unique to the site. Regardless of the above mechanisms, if an attacker can very easily guess your password or was able to get access to the password you use on multiple sites by exploiting a less-secure site/service, your account is insecure.

[GreenLinks]

Geez , it is really annoying to see some people simply argue for the sake of arguing.

Lets put a very simple question to genius :

Give me the exact Value X and Y represents in the following equation

X + 2 = 8

X + Y = 8

[Wolfie]

3. I would give the user the option of choice in every other situation (e.g. log in with either username or email address) as other people think differently than I do and I don't want to restrict them into a certain mindset due to their preconceptions of a particular login method. Just because I associate email address logins with "this is serious business" doesn't mean that everyone else does; their preconceptions may be entirely antithesis to mine.

I think having the option is good in the sense that it let's the user choose their way of signing in, but bad in that it gives hackers an extra option for hacking an account. One of those give & take deals, although if they know the persons email address, then odds are they have some knowledge of that person and that might help in narrowing down who did it. (Not necessarily, just a possibility.)

Regarding account security, obviously if the person knows your username/email they have a much better chance of breaking into your account than if they did not (the attack surface is reduced to password instead of username+password).

Exactly. If you have to solve for two values, and both have to be correct, then it's harder. It's like trying to unlock two combination locks, where you have to get them both right in order to open them. Not one then the other.

However, there are many ways to mitigate this, many of which IPB already implements:
1. Allow for entering a different display name upon signup. That way your actual username/email is never displayed publicly at all.
2. Ensure that every public facing thing uses the display name instead of username, this includes profile URLs.
3. Have a brute force detection mechanism on login, so any would-be attacker would have a much harder time of breaking into an account. Brute-force detection would ideally be both username-based as well as IP-based, so a botnet cannot simultaneously break into one account while a single computer cannot attempt to break into multiple different accounts.
4. Have your error message be as generic as possible. Regardless of whether the username actually exists, display "Username or Password invalid". That way the attackers cannot determine what is and what is not a valid username just by looking at error messages.
5. The onus is still on the user to use a strong password that is unique to the site. Regardless of the above mechanisms, if an attacker can very easily guess your password or was able to get access to the password you use on multiple sites by exploiting a less-secure site/service, your account is insecure.

1. Not really. It used to be an option but isn't anymore, unless you are creating an account within the ACP. The only way to achieve it now, outside of using a hook to add the functionality during registration, is for the admin to change the sign-in ID in the ACP.

2. I believe there were a few instances early on where the user ID was being provided instead of the display name. Of course, those got reported as bugs and have since been taken care of.

3. The locking of an account can also be used as a tool for annoying someone. If you know a site forces someone to log in after so many hours of inactivity (actually signing in), then if you know their account ID, you could attempt to log-in as them, using a password you know would fail (objective isn't to succeed anyways). Keep it up using a script and they are kept locked out for hours at a time unless they send an email about the issue and it gets investigated.

4. I think the error message eludes to the combination not being valid, without telling you why.

5. I use strong passwords that only I know what they mean. No, not two word combinations or some such nonsense that would be easy to guess. Passwords that have meaning to me so I can remember them, but to anyone else, are nothing more than a bunch of random characters. It's the best kind.

Give me the exact Value X and Y represents in the following equation

X + 2 = 8

X + Y = 8

To put things into perspective, he thinks it's easy to figure out the volume of a rectangular box when only knowing one of the dimensions.

[Soniceffect]

Where did that 'rule' come from? Wasn't part of your original claim.
Anyway, you seem more interested in 'winning' a childish fight than in a constructive discussion. Peace out.

I think you were missing the point in the first place. The point is that in a scenario where displaynames are not used (ie. what is displayed is what you log in with), you already know the first part. In the scenario that displaynames are used you do not know the first part.

So for example. If you know the first already, and for ease lets say its only a 2 digit password that is allowed and it has to be numeric (yes I know that would be silly lol)

So I know the username for this person is myuser and the password is 2 digits giving me 99 possible combinations.

Now given the displayname scenario we dont know what the username is. So lets say there are 6 chars allowed and again has to be numeric. Still with the 2 digit password this gives you 99 possible passwords for 999999 possible usernames giving 98999901 possible combinations.

Now this is only with extremely simplistic values.

[Wolfie]

So I know the username for this person is myuser and the password is 2 digits giving me 99 possible combinations.

Now given the displayname scenario we dont know what the username is. So lets say there are 6 chars allowed and again has to be numeric. Still with the 2 digit password this gives you 99 possible passwords for 999999 possible usernames giving 98999901 possible combinations.

Now this is only with extremely simplistic values.

With a two digit password, it would be 100 possibilities, not 99. With a six digit user name, it would be 1,000,000 possibilities. So it would be 100,000,000 possible user ID and password combinations.

Weak example (which you admitted to), but you get the concept. I'm wondering if XTF really doesn't get it or if he's just pretending to not get it.

[Soniceffect]

With a two digit password, it would be 100 possibilities, not 99. With a six digit user name, it would be 1,000,000 possibilities. So it would be 100,000,000 possible user ID and password combinations.

Weak example (which you admitted to), but you get the concept. I'm wondering if XTF really doesn't get it or if he's just pretending to not get it.

Just testing you, and you passed with flying colours ;)

Not sure to be honest m8. Seemed pretty common sense to me

[Nimdock]

I actually like logging in with a user name in my forum instead of having to use an e-mail address.

Which means they will probably change it. Such is my luck. >_<

If it were up to me, I would leave it as it is. Whoever wants to use e-mail addresses for their forum can do so and whoever wants to use user names can do so as well. (Just noticed someone from IPS already chimed in with this as well so hopefully it will be left alone :D).

[Jυra]

I greatly miss phpBB2 where members could change their username anytime and it be the same as the name you log in with. IPB you have a display name that can lead to confusion. I sadly don't think enough people will see the folly in that to where change can happen.

[Rheddy]

IPS used to include the ability to create a login username along with a display username but someone came up with the worst idea possible to remove that feature, even thought it's enabled in the ACP, there is no way to enable that feature during the registration process. I even thought that maybe IPS would include a dual login where you would need to enter your login/username along with your email address. Unfortunately, it's far easier for a hacker to find out your email address than they are able to determine your login/username. This is why I don't use the "login email" method because it's too easy for hackers to find out your email address. Not so easy to discuss your login username.

[Wolfie]

IPS used to include the ability to create a login username along with a display username but someone came up with the worst idea possible to remove that feature, even thought it's enabled in the ACP, there is no way to enable that feature during the registration process. I even thought that maybe IPS would include a dual login where you would need to enter your login/username along with your email address. Unfortunately, it's far easier for a hacker to find out your email address than they are able to determine your login/username. This is why I don't use the "login email" method because it's too easy for hackers to find out your email address. Not so easy to discuss your login username.

Hacker looks at display name history to find out the first name that was being used, then uses that as the login name. Easier than figuring out someone's email address. Perhaps you should disable the use of usernames as well (effectively disabling the ability to sign in). :lol:

[Rheddy]

This is why I recommend that the members on my forums request that their login username be edited by an admin on my community rather than using the "user control panel". I have a different login username than my display name, to prevent my account from being hacked.