Login by e-mail or username

robra · Post by **robra** » Sun Jul 14, 2013 8:28 pm

It has the Prime Login via E-Mail MOD but is will be very useful if it is native of phpBB. The user could log by username ou your e-mail address of your register. Is more easier forget the username that the e-mail address.

Thanks.

brunoais · Post by **brunoais** » Mon Jul 15, 2013 6:32 pm

In order for this to be implemented, the option in which different users may have the same e-mail should automatically be disabled or removed altogether from phpBB.

nickvergessen · Post by **nickvergessen** » Mon Jul 15, 2013 6:48 pm

Or the user has to use the username when he has multiple accounts with the same address...

Also removing the feature, does not help, multi-accounts may still exist after the update

imkingdavid · Post by **imkingdavid** » Tue Jul 16, 2013 4:08 am

An alternative to removing, disabling, etc. either feature based on a user having or not having multiple accounts would be to do one or both of the following:
1) Link accounts - when a user logs in with the email address, he or she may choose the username he or she wishes to use, and (optionally) may be allowed to easily switch to another linked username at any time.
2) Determine the account based on the password - This would assume that the user is using a different password for each account. We could require that if the email address is the same the password must be different from the one used on all other accounts.

brunoais · Post by **brunoais** » Tue Jul 16, 2013 5:30 pm

Yep, that's a good idea, iimkingdavid

Hardolaf · Post by **Hardolaf** » Tue Jul 16, 2013 6:31 pm

I don't think that imkingdavid's second suggestion would be too difficult to implement. However, I do see issues arising where there may be the same password used for the two or more accounts belonging to the same e-mail address.

The first suggestion he brought up might take significantly longer to implement.

Edit: Back to the second suggestion, there is also the possibility of hash collision which could theoretically allow someone to log into the wrong account using this system.

farrington · Post by **farrington** » Tue Jul 23, 2013 9:24 am

I like iamkingdavid's first idea for an add-on.

AmigoJack · Post by **AmigoJack** » Sat Aug 03, 2013 2:35 pm

-1

Just taking an input and then searching if it's an e-mail address or a username just doubles the chance of brute force success. There should be at least a combobox / two radiobuttons so the user himself has to choose if what he enters is the e-mail address or the username.

Checking for same passwords can turn out to be impossible, as phpBB already built in a mechanism to avoid producing same hashes for same passwords from different users (that means Bob's password "one" will produce another hash than Alice's password "one").

Arty · Post by **Arty** » Sat Aug 03, 2013 2:44 pm

AmigoJack wrote:Just taking an input and then searching if it's an e-mail address or a username just doubles the chance of brute force success.

That is incorrect. How many people are using email address as their username? Close to none. If someone would want to brute force he will do that by ether user name or email, not both.

AmigoJack · Post by **AmigoJack** » Sat Aug 03, 2013 2:46 pm

Arty wrote:email address as their username

Not the address as name - the address instead of the name.

Arty · Post by **Arty** » Sat Aug 03, 2013 2:49 pm

AmigoJack wrote:
Arty wrote:email address as their username
Not the address as name - the address instead of the name.

And how does that double chances of brute forcing? Usernames are already known to all visitors, there is nothing to guess. Bots that are stupid enough not to check users list before brute forcing have higher chance of guessing someone's username than email address because usernames are generally much shorter.

AmigoJack · Post by **AmigoJack** » Sat Aug 03, 2013 4:54 pm

Arty wrote:Usernames are already known to all visitors

Not if you disallow everything to guests. The chances double because you will succeed with name or address. Think of it as one pair (name+pass) is granted aswell as another (address+pass) - we are raising alternatives to login while they still use one unique component.

While I might not know all usernames of my enemies everywhere, I most supposely know their e-mail addresses - so you make it easier for me.

callumacrae · Post by **callumacrae** » Sun Aug 04, 2013 11:38 pm

Why would anyone brute force the username field?

AmigoJack · Post by **AmigoJack** » Mon Aug 05, 2013 6:52 am

That's irrelevant - it happens already and thanks to (augmented) logs I see all login tries to unknown accounts and their names shift by either the last characters or by making an e-mail address of it (won't publically list all those tries here).

Deactivated 1950056 · Thu Dec 16, 2021 11:22 pm

It does make sense if someone lost their username and having control of the email associated with the account is proof of ownership.

Votes

Status