On 12/11/2009 12:24 PM, Sean T Evans wrote:
>
> Is there any evidence to back up this assertation? It only holds true if
> you use A) a unique unique username, or that every site you use that
> username on offers the option of having a different display name and B)
> the same e-mail address for each site.
>
> In my case, I tend to use the same username, but different e-mail
> addresses for different sites. Therefore, in my case at least, removing
> the option to login by username and _only_ allowing login by e-mail
> would be more secure.
Of course the security of either option changes when you focus on one
use case or another. Yours may be directly the opposite of mine, making
the alternative more secure. I think it's worthwhile to consider in
abstract both what is more secure empirically and is most
straightforward to implement (therefore more secure by being a simpler
implementation).
Assuming a user wanted the added security of a less easily guessed
username, and the two options available were either a username that
could be any combination of characters (including an email address) or
an email address absolutely, I think it's obvious that the range of
possible values that the former option allows makes it the superior
choice. (This is my argument against enforcing password "strength" by
insisting on length and minimum character-class inclusion, since doing
those things ultimately results in cryptographically fewer absolute
potential options.)
There is also a potential case to be made that allowing use of an
arbitrary string as a login may allow more flexibility in passing values
to an external (pluggable) authentication system.
Regarding implementation, making the email address unique is a database
change. It's a structural change, which must be done across database
engines. As we've seen from doing this in the past, it's non-trivial.
It also may cause some issues for installations that already have
mulitple user accounts using the same email address, since simply
setting the field to be row-unique will generate errors on those
duplicate rows; errors that must be accounted for. We would likely need
to provide a way for users to specify replacement emails for those rows
that generate errors.
Conversely, removing the ability to log in with an email address amounts
to reducing the core code size by 6 lines, and doesn't alter the
database (see attachment). If you still want to use your email address
as a username, I suspect you'll still be able to do that -- it'll just
be stored in both the username and email fields, and you'll need to set
a clean displayname in your profile so that your email address doesn't
show up as the author of your posts.
Blah blah blah. Etc. Ad infinitum.
> As I've advocated before, I think instead of us making assumptions about
> how users want to interact with the software, we should, when we have
> the opportunity take the option that gives the most flexibility. Keep
> the core simple and open, and allow customization via plugin.
This not an issue solely about flexibility, though. It is also not an
assertion based on how we expect users want to log in. There is a hint
of security at play. We are talking about logins, after all.
In cases where security is an issue, I advocate that we choose a default
that provides the most security, and allow the user to add plugins that
erode that security of their own volition. That other sites feel that
email addresses are sufficiently secure to use as usernames should have
little bearing on what we consider secure. If other blogging apps
jumped off a bridge, etc.
All of that said, I think Habari's landscape has just had another
woodshed erected. As heard elsewhere in the thread, someone should just
code something (see patch). I suspect the easiest implementation will
probably be the best one for users, too.
Owen
--
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at http://groups.google.com/group/habari-dev
Index: user.php
===================================================================
--- user.php (revision 3876)
+++ user.php (working copy)
@@ -260,13 +260,7 @@
return false;
}
- if ( strpos( $who, '@' ) !== FALSE ) {
- // we were given an email address
- $user = self::get_by_email( $who );
- }
- else {
- $user = self::get_by_name( $who );
- }
+ $user = self::get_by_name( $who );
if ( ! $user ) {
// No such user.
