Lack of interest Option: disable username login, email as default

This suggestion has been closed automatically because it did not receive enough votes over an extended period of time. If you wish to see this, please search for an open suggestion and, if you don't find any, post a new one.
This suggestion has been closed. Votes are no longer accepted.
If you run a forum for any length of time, you'll soon discover that your premise is incorrect. People frequently do NOT keep their email addresses up to date.
 
Since 2003 here. That's pretty long. ;)

So on point 1, yes I get it. But it does work as a reminder to change it. I ran a different software where I changed it to email only after many years. The #1 support ticket issue was "I don't remember the email I signed up with." When we told them the old email they would log in and change it. Bounce rates of transactional emails went down. So no, it is not a guarantee, but it is a gentle reminder. Also it helps thwart using disposable emails.

On point 2, I ran a vB where bots would run login scripts based on the usernames and generic passwords. They broke through a few times. You'd see spam from someone whose last post was 5 years prior. With vB I was not able to switch to email only so I was forced to disable the memberlist.

With those use cases I proposed the suggestion here. Simply as an option. Thanks!
 
Last edited:
To clarify on the security aspect, username login is not a security risk when there is no public username list (or posts). For example you may log into your bank with a username. But they don't have a list of usernames on their site. The combo is what creates the risk, giving hackers 50% of the login, with only the password to crack. When it's email, that is information they do not have or see on the forum. So they need 100% (email plus password) to crack. People are also used to logging in via email on social media. I suggest this based on a huge problem with password cracks from a previous site. Thanks
 
This is indeed a valid option to have. I ran an experiment for over a year on this and what I found was, xrumer and other autospam programs get stopped by this - because by default after creating their spam account with a false email address they then verify automatically, they try invariably to login using the username and not the email address. They can get accounts created but cannot log in!

Glad to see Snog already created an add-on for this, but I am thinking this option should be native.
 

Similar threads

S
Require password reset upon login
Replies
2
Views
328
stromb0li
S
NealC
  • Question Question
Switched to google workspace oauth email and getting too many login attempts error
Replies
12
Views
715
NealC
NealC
B
Which default and contact email address would be appropriate?
2
Replies
29
Views
2K
TPerry
TPerry
bzcomputers
Not a bug Valid Gmail addresses are currently blocked in they have three or more periods in the username part of the email address
Replies
7
Views
905
Digital Jedi
Digital Jedi
R
  • Solved
XF 2.2 Unwelcome message PHP functions disabled by hosting site
Replies
2
Views
524
Paul B
Paul B
Top Bottom