Page 1 of 1

Login by e-mail or username

Posted: Sun Jul 14, 2013 8:28 pm
by robra
It has the Prime Login via E-Mail MOD but is will be very useful if it is native of phpBB. The user could log by username ou your e-mail address of your register. Is more easier forget the username that the e-mail address.

Thanks. ;)

Re: Login by e-mail or username

Posted: Mon Jul 15, 2013 6:32 pm
by brunoais
In order for this to be implemented, the option in which different users may have the same e-mail should automatically be disabled or removed altogether from phpBB.

Re: Login by e-mail or username

Posted: Mon Jul 15, 2013 6:48 pm
by nickvergessen
Or the user has to use the username when he has multiple accounts with the same address...

Also removing the feature, does not help, multi-accounts may still exist after the update ;)

Re: Login by e-mail or username

Posted: Tue Jul 16, 2013 4:08 am
by imkingdavid
An alternative to removing, disabling, etc. either feature based on a user having or not having multiple accounts would be to do one or both of the following:
1) Link accounts - when a user logs in with the email address, he or she may choose the username he or she wishes to use, and (optionally) may be allowed to easily switch to another linked username at any time.
2) Determine the account based on the password - This would assume that the user is using a different password for each account. We could require that if the email address is the same the password must be different from the one used on all other accounts.

Re: Login by e-mail or username

Posted: Tue Jul 16, 2013 5:30 pm
by brunoais
Yep, that's a good idea, iimkingdavid

Re: Login by e-mail or username

Posted: Tue Jul 16, 2013 6:31 pm
by Hardolaf
I don't think that imkingdavid's second suggestion would be too difficult to implement. However, I do see issues arising where there may be the same password used for the two or more accounts belonging to the same e-mail address.

The first suggestion he brought up might take significantly longer to implement.

Edit: Back to the second suggestion, there is also the possibility of hash collision which could theoretically allow someone to log into the wrong account using this system.

Re: Login by e-mail or username

Posted: Tue Jul 23, 2013 9:24 am
by farrington
I like iamkingdavid's first idea for an add-on.

Re: Login by e-mail or username

Posted: Sat Aug 03, 2013 2:35 pm
by AmigoJack
-1

Just taking an input and then searching if it's an e-mail address or a username just doubles the chance of brute force success. There should be at least a combobox / two radiobuttons so the user himself has to choose if what he enters is the e-mail address or the username.

Checking for same passwords can turn out to be impossible, as phpBB already built in a mechanism to avoid producing same hashes for same passwords from different users (that means Bob's password "one" will produce another hash than Alice's password "one").

Re: Login by e-mail or username

Posted: Sat Aug 03, 2013 2:44 pm
by Arty
AmigoJack wrote:Just taking an input and then searching if it's an e-mail address or a username just doubles the chance of brute force success.
That is incorrect. How many people are using email address as their username? Close to none. If someone would want to brute force he will do that by ether user name or email, not both.

Re: Login by e-mail or username

Posted: Sat Aug 03, 2013 2:46 pm
by AmigoJack
Arty wrote:email address as their username
Not the address as name - the address instead of the name.

Re: Login by e-mail or username

Posted: Sat Aug 03, 2013 2:49 pm
by Arty
AmigoJack wrote:
Arty wrote:email address as their username
Not the address as name - the address instead of the name.
And how does that double chances of brute forcing? Usernames are already known to all visitors, there is nothing to guess. Bots that are stupid enough not to check users list before brute forcing have higher chance of guessing someone's username than email address because usernames are generally much shorter.

Re: Login by e-mail or username

Posted: Sat Aug 03, 2013 4:54 pm
by AmigoJack
Arty wrote:Usernames are already known to all visitors
Not if you disallow everything to guests. The chances double because you will succeed with name or address. Think of it as one pair (name+pass) is granted aswell as another (address+pass) - we are raising alternatives to login while they still use one unique component.

While I might not know all usernames of my enemies everywhere, I most supposely know their e-mail addresses - so you make it easier for me.

Re: Login by e-mail or username

Posted: Sun Aug 04, 2013 11:38 pm
by callumacrae
Why would anyone brute force the username field?

Re: Login by e-mail or username

Posted: Mon Aug 05, 2013 6:52 am
by AmigoJack
That's irrelevant - it happens already and thanks to (augmented) logs I see all login tries to unknown accounts and their names shift by either the last characters or by making an e-mail address of it (won't publically list all those tries here).