That is incorrect. How many people are using email address as their username? Close to none. If someone would want to brute force he will do that by ether user name or email, not both.AmigoJack wrote:Just taking an input and then searching if it's an e-mail address or a username just doubles the chance of brute force success.
Not the address as name - the address instead of the name.Arty wrote:email address as their username
And how does that double chances of brute forcing? Usernames are already known to all visitors, there is nothing to guess. Bots that are stupid enough not to check users list before brute forcing have higher chance of guessing someone's username than email address because usernames are generally much shorter.AmigoJack wrote:Not the address as name - the address instead of the name.Arty wrote:email address as their username
Not if you disallow everything to guests. The chances double because you will succeed with name or address. Think of it as one pair (name+pass) is granted aswell as another (address+pass) - we are raising alternatives to login while they still use one unique component.Arty wrote:Usernames are already known to all visitors