Login by e-mail or username

https://www.phpbb.com/ideas/
Post Reply
User avatar
robra
Registered User
Posts: 147
Joined: Thu Dec 09, 2010 2:09 am
Location: Brazil

Login by e-mail or username

Post by robra » Sun Jul 14, 2013 8:28 pm

It has the Prime Login via E-Mail MOD but is will be very useful if it is native of phpBB. The user could log by username ou your e-mail address of your register. Is more easier forget the username that the e-mail address.

Thanks. ;)

----------

View idea at: Login by e-mail or username

Posted by robra

brunoais
QA Team
Posts: 418
Joined: Wed Jun 18, 2008 10:50 am

Re: Login by e-mail or username

Post by brunoais » Mon Jul 15, 2013 6:32 pm

In order for this to be implemented, the option in which different users may have the same e-mail should automatically be disabled or removed altogether from phpBB.

User avatar
nickvergessen
Former Team Member
Posts: 4397
Joined: Mon Apr 30, 2007 5:33 pm
Location: Stuttgart, Germany
Name: Joas Schilling
Contact:

Re: Login by e-mail or username

Post by nickvergessen » Mon Jul 15, 2013 6:48 pm

Or the user has to use the username when he has multiple accounts with the same address...

Also removing the feature, does not help, multi-accounts may still exist after the update ;)
No Support via PM

User avatar
imkingdavid
Former Team Member
Posts: 2667
Joined: Sun Jul 26, 2009 7:59 pm
Location: EST
Name: David King

Re: Login by e-mail or username

Post by imkingdavid » Tue Jul 16, 2013 4:08 am

An alternative to removing, disabling, etc. either feature based on a user having or not having multiple accounts would be to do one or both of the following:
1) Link accounts - when a user logs in with the email address, he or she may choose the username he or she wishes to use, and (optionally) may be allowed to easily switch to another linked username at any time.
2) Determine the account based on the password - This would assume that the user is using a different password for each account. We could require that if the email address is the same the password must be different from the one used on all other accounts.
Don't forget to smile today. :)
Please do NOT contact for support via PM or email.
Remember, the enemy's gate is down.

brunoais
QA Team
Posts: 418
Joined: Wed Jun 18, 2008 10:50 am

Re: Login by e-mail or username

Post by brunoais » Tue Jul 16, 2013 5:30 pm

Yep, that's a good idea, iimkingdavid

Hardolaf
Google Summer of Code Student
Posts: 10
Joined: Sat Mar 31, 2012 11:01 pm
Name: Joseph Warner

Re: Login by e-mail or username

Post by Hardolaf » Tue Jul 16, 2013 6:31 pm

I don't think that imkingdavid's second suggestion would be too difficult to implement. However, I do see issues arising where there may be the same password used for the two or more accounts belonging to the same e-mail address.

The first suggestion he brought up might take significantly longer to implement.

Edit: Back to the second suggestion, there is also the possibility of hash collision which could theoretically allow someone to log into the wrong account using this system.

farrington
Registered User
Posts: 18
Joined: Wed May 16, 2007 6:23 am
Location: Skövde, Sweden
Name: Marcus Farrington
Contact:

Re: Login by e-mail or username

Post by farrington » Tue Jul 23, 2013 9:24 am

I like iamkingdavid's first idea for an add-on.

User avatar
AmigoJack
Registered User
Posts: 5571
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Login by e-mail or username

Post by AmigoJack » Sat Aug 03, 2013 2:35 pm

-1

Just taking an input and then searching if it's an e-mail address or a username just doubles the chance of brute force success. There should be at least a combobox / two radiobuttons so the user himself has to choose if what he enters is the e-mail address or the username.

Checking for same passwords can turn out to be impossible, as phpBB already built in a mechanism to avoid producing same hashes for same passwords from different users (that means Bob's password "one" will produce another hash than Alice's password "one").
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

User avatar
Arty
Former Team Member
Posts: 16654
Joined: Wed Mar 06, 2002 2:36 pm
Name: Vjacheslav Trushkin
Contact:

Re: Login by e-mail or username

Post by Arty » Sat Aug 03, 2013 2:44 pm

AmigoJack wrote:Just taking an input and then searching if it's an e-mail address or a username just doubles the chance of brute force success.
That is incorrect. How many people are using email address as their username? Close to none. If someone would want to brute force he will do that by ether user name or email, not both.
Vjacheslav Trushkin / Arty.
Free phpBB 3.1 styles | New project: Iconify - modern SVG framework

User avatar
AmigoJack
Registered User
Posts: 5571
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Login by e-mail or username

Post by AmigoJack » Sat Aug 03, 2013 2:46 pm

Arty wrote:email address as their username
Not the address as name - the address instead of the name.
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

User avatar
Arty
Former Team Member
Posts: 16654
Joined: Wed Mar 06, 2002 2:36 pm
Name: Vjacheslav Trushkin
Contact:

Re: Login by e-mail or username

Post by Arty » Sat Aug 03, 2013 2:49 pm

AmigoJack wrote:
Arty wrote:email address as their username
Not the address as name - the address instead of the name.
And how does that double chances of brute forcing? Usernames are already known to all visitors, there is nothing to guess. Bots that are stupid enough not to check users list before brute forcing have higher chance of guessing someone's username than email address because usernames are generally much shorter.
Vjacheslav Trushkin / Arty.
Free phpBB 3.1 styles | New project: Iconify - modern SVG framework

User avatar
AmigoJack
Registered User
Posts: 5571
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Login by e-mail or username

Post by AmigoJack » Sat Aug 03, 2013 4:54 pm

Arty wrote:Usernames are already known to all visitors
Not if you disallow everything to guests. The chances double because you will succeed with name or address. Think of it as one pair (name+pass) is granted aswell as another (address+pass) - we are raising alternatives to login while they still use one unique component.

While I might not know all usernames of my enemies everywhere, I most supposely know their e-mail addresses - so you make it easier for me.
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

User avatar
callumacrae
Former Team Member
Posts: 2662
Joined: Tue Feb 12, 2008 12:28 pm
Location: London, UK
Name: Callum Macrae
Contact:

Re: Login by e-mail or username

Post by callumacrae » Sun Aug 04, 2013 11:38 pm

Why would anyone brute force the username field?
macr.ae = my website. you probably won't like it.
Proud user ofProud user of

User avatar
AmigoJack
Registered User
Posts: 5571
Joined: Tue Jun 15, 2010 11:33 am
Location: グリーン ヒル ゾーン
Contact:

Re: Login by e-mail or username

Post by AmigoJack » Mon Aug 05, 2013 6:52 am

That's irrelevant - it happens already and thanks to (augmented) logs I see all login tries to unknown accounts and their names shift by either the last characters or by making an e-mail address of it (won't publically list all those tries here).
The worst thing about censorship is ███████████
Affin wrote:
Tue Nov 20, 2018 9:51 am
The problem is probably not my English but you do not want to understand correctly.
...
We will not come anybody anyway, nevertheless, it's best to shit this.

Post Reply

Return to “phpBB Ideas”