Login by e-mail or username

[robra]

It has the Prime Login via E-Mail MOD but is will be very useful if it is native of phpBB. The user could log by username ou your e-mail address of your register. Is more easier forget the username that the e-mail address.

Thanks.

[brunoais]

In order for this to be implemented, the option in which different users may have the same e-mail should automatically be disabled or removed altogether from phpBB.

[nickvergessen]

Or the user has to use the username when he has multiple accounts with the same address...

Also removing the feature, does not help, multi-accounts may still exist after the update

[imkingdavid]

An alternative to removing, disabling, etc. either feature based on a user having or not having multiple accounts would be to do one or both of the following:
1) Link accounts - when a user logs in with the email address, he or she may choose the username he or she wishes to use, and (optionally) may be allowed to easily switch to another linked username at any time.
2) Determine the account based on the password - This would assume that the user is using a different password for each account. We could require that if the email address is the same the password must be different from the one used on all other accounts.

[brunoais]

Yep, that's a good idea, iimkingdavid

[Hardolaf]

I don't think that imkingdavid's second suggestion would be too difficult to implement. However, I do see issues arising where there may be the same password used for the two or more accounts belonging to the same e-mail address.

The first suggestion he brought up might take significantly longer to implement.

Edit: Back to the second suggestion, there is also the possibility of hash collision which could theoretically allow someone to log into the wrong account using this system.

[farrington]

I like iamkingdavid's first idea for an add-on.

[AmigoJack]

-1

Just taking an input and then searching if it's an e-mail address or a username just doubles the chance of brute force success. There should be at least a combobox / two radiobuttons so the user himself has to choose if what he enters is the e-mail address or the username.

Checking for same passwords can turn out to be impossible, as phpBB already built in a mechanism to avoid producing same hashes for same passwords from different users (that means Bob's password "one" will produce another hash than Alice's password "one").

[Arty]

Just taking an input and then searching if it's an e-mail address or a username just doubles the chance of brute force success.

That is incorrect. How many people are using email address as their username? Close to none. If someone would want to brute force he will do that by ether user name or email, not both.

[AmigoJack]

email address as their username

Not the address as name - the address instead of the name.

[Arty]

email address as their username

Not the address as name - the address instead of the name.

And how does that double chances of brute forcing? Usernames are already known to all visitors, there is nothing to guess. Bots that are stupid enough not to check users list before brute forcing have higher chance of guessing someone's username than email address because usernames are generally much shorter.

[AmigoJack]

Usernames are already known to all visitors

Not if you disallow everything to guests. The chances double because you will succeed with name or address. Think of it as one pair (name+pass) is granted aswell as another (address+pass) - we are raising alternatives to login while they still use one unique component.

While I might not know all usernames of my enemies everywhere, I most supposely know their e-mail addresses - so you make it easier for me.

[callumacrae]

Why would anyone brute force the username field?

[AmigoJack]

That's irrelevant - it happens already and thanks to (augmented) logs I see all login tries to unknown accounts and their names shift by either the last characters or by making an e-mail address of it (won't publically list all those tries here).