Lack of interest Option: disable username login, email as default

[beerForo]

The benefit is, users keep their emails up to date as, no one likes to login with a defunct email, plus it is more secure, as bots cannot go through the member list (as a login) trying passwords since emails are private.

I would like to suggest disabling username login, thanks!

 

[djbaxter]

If you run a forum for any length of time, you'll soon discover that your premise is incorrect. People frequently do NOT keep their email addresses up to date.

 

[beerForo]

Since 2003 here. That's pretty long.

So on point 1, yes I get it. But it does work as a reminder to change it. I ran a different software where I changed it to email only after many years. The #1 support ticket issue was "I don't remember the email I signed up with." When we told them the old email they would log in and change it. Bounce rates of transactional emails went down. So no, it is not a guarantee, but it is a gentle reminder. Also it helps thwart using disposable emails.

On point 2, I ran a vB where bots would run login scripts based on the usernames and generic passwords. They broke through a few times. You'd see spam from someone whose last post was 5 years prior. With vB I was not able to switch to email only so I was forced to disable the memberlist.

With those use cases I proposed the suggestion here. Simply as an option. Thanks!

 

[beerForo]

To clarify on the security aspect, username login is not a security risk when there is no public username list (or posts). For example you may log into your bank with a username. But they don't have a list of usernames on their site. The combo is what creates the risk, giving hackers 50% of the login, with only the password to crack. When it's email, that is information they do not have or see on the forum. So they need 100% (email plus password) to crack. People are also used to logging in via email on social media. I suggest this based on a huge problem with password cracks from a previous site. Thanks

 

[Max Taxable]

This is indeed a valid option to have. I ran an experiment for over a year on this and what I found was, xrumer and other autospam programs get stopped by this - because by default after creating their spam account with a false email address they then verify automatically, they try invariably to login using the username and not the email address. They can get accounts created but cannot log in!

Glad to see Snog already created an add-on for this, but I am thinking this option should be native.