Oyabun1 wrote:Referring to a userID is confusing because phpBB already has a user_id. Using the term login-name may be better.
Thanks for this suggestion, I'll adopt this line.
John P wrote:I really like this idea but it should be possible to login with userid or username(nick)
The term userid is not correct I think.
I don't agree with this because if it will be possible to use both to login my proposal becomes pointless.
d) Why not just use the email address? It's not public, right? (or it shouldn't be)
I don't agree neither with this because if someone gives his/her email address privately, or pubblicate it somewhere so it is not secreted, in this way my proposal becomes without sense too.
b) People will just choose the same userID and nickname, and will get annoyed if you force them to be different
Well... might be... but the security is improved... and anyway they have to write them just once just when they register, and they have to remember (or write) just the login and the pass that is two words like it is now: now they have to remember (or write) the nick and the pass, so there is not the need for users to use more "memory" in their "brain" than now because they will have two think to remember or write as now is.
c) Textbook security through obscurity?
Sorry I'm ignorant in this matter what's that?
From some responses into the topic it seems to me that my proposal is not completely clear to some responders. Sorry if my English is not perfect. I will try harder to explain its concept better, hoping it helps: at this moment the nickname is used for login and at the same time it appears publically alongside every post so it is universally known.
So if a cracker would attempt an attack has to discover only the password because the nick is known. So a brute force attack, for example, will success in a certain time I'll call T1.
My proposal aims to protect all user login data
] keeping this pair secret and not public. This because my basic idea has:
- Only the Username | Nickname public and cannot be used for login;
- The loginID | login-name is private and top secret, only the owner knows it, as the password.
So with my idea if the cracker attempts to discover the access to the account, has to discover both secret words [login and pass]: discovering a combination of two secret words is pretty more difficult to do than discovering only one. I call this time T2. Because T2 > T1 I think my method is more secure than the one now in use.