tags:

views:

603

answers:

10
+9  Q: 

What are the pros and cons of using an email as a username?

You know most login forms use user & pass.

And some go the email & pass. What are the pros and cons of them? Here is what I have thought of.

PROS of email

  • one less thing to remember (as opposed to remembering a username too)
  • Should always be unique per user
  • One less thing you need to ask them to register

CONS

  • If they change email - could the potentially try and use their new email to access the site?
  • For forget password - and it says 'please enter your email' and they have abandoned their old email - they could potentially be stuck.

I do believe this is programming related because ease of use of a web application is something important that shouldn't be overlooked.

+13  A: 

Another thing to remember is that if other users can also see the "username", you shouldn't use mail addresses due to privacy issues.

Tal Pressman  2009-08-20 02:03:24
+1 thanks - useful info
alex  2009-08-20 02:11:30
Not always. The username should never be the public facing name. That goes for email as username or just usernames. Seperate the username (or email) from the public "presence" name.
Phillip  2009-08-20 02:18:25
+1  A: 

Email (pro) - lessens account-creation spamming because you could confirm their account by sending an email to them.

JasonV  2009-08-20 02:04:24
You can require an email address to link to the account and verify the account by that email address. This does not change if you have a username for authentication. I recommend it though.
TheJacobTaylor  2009-08-20 02:05:58
Practically every site you sign up for will ask for an email address, regardless of whether it's used as the username or not.
DisgruntledGoat  2009-08-20 14:46:16
+2  A: 

Email makes a good username as long as you provide a means for changing the email address. LinkedIn provides this as you create an account with an email as the username. They also allow you (once logged in) to change the primary email address which then changes your username to be that email address.

As long as you do something like this then you should be all set.

Andrew Hare  2009-08-20 02:04:52
In the event that something happens and the email address cannot be recovered for lost passwords, I would recommend having some form of email or phone communication for account recovery. In my oppinion, you should have this anyway, regardless of if you use usernames or email as usernames. Use account demographics to confirm the user is who they say they are.
Phillip  2009-08-20 02:16:41
+3  A: 

OpenID and OAuth .....It just appears better. Even less users to manage for them and it makes migrating in one place easier on a change.

Yes, you have to be careful. I would insist that the backup email address (an additional profile field) is different than the email address they are using for the user. Many systems also have some other fields that then can use to authenticate themselves if things get really hairy. At this point though, it would frequently require a tech support call.

Depending on the type of system, using email may be a security vulnerability. I know your email address, I don't know what you might put into a username prompt. If being able to easily guess a username is an issue, then I would not use email address.

Jacob

TheJacobTaylor  2009-08-20 02:05:00
+1  A: 

Con: When you require a username to be shared among applications such as web site and email, it can raise security concerns. For example, whoever has access to the usernames in the web site will also have access to the email addresses if the email is use for the username. Usually this is not a problem, but it could be. It is generally a good policy to keep usernames and passwords separate between applications unless there is a common login procedure, or unless security is not important.

xpda  2009-08-20 02:08:45
Generally if they have access to the username that will probably have access to the email address as well because access to the username usually requires some database accessibility. If they have access to the database they have access to more then just the username. At least thats my oppinion.
Phillip  2009-08-20 02:14:16
A: 

When you use Email addresses, it's easier for a member to change their username, for example when pwng0d69 wants to be known as Jon Skeet. However for each site that asks for my email address, personally I cringe at yet another source of potential spam.

Use Open ID :)

Moak  2009-08-20 02:10:07
A: 

CON: It's one less insulating layer between the user and spammers. If, somehow, somebody got a full list of usernames, they would be able to spam all your users. But if the site uses usernames, with emails as a secondary field, this isn't a concern.

Unless they get all user data, of course, but that's a much bigger problem anyways.

Cinder6  2009-08-20 02:12:50
A: 

PRO: It seems that some services are considering making e-mail the standard for identifying a specific user across the net:

e.g. http://www.techcrunch.com/2009/08/14/google-points-at-webfinger-your-gmail-address-could-soon-be-your-id/

CON: This hasn't happened yet, and there are lots of other options such as OpenAuth and OpenID that are around now and have some support (you also have login using Facebook spreading).

Just tailor your choice for identity to whatever the target audience of your app will be.

nicoslepicos  2009-08-20 03:18:57
A: 

We used Arena Solutions 'Product Lifecycle Management' software before a change in company ownership mandated a change. It was one of those deals where all your sensitive company data is hosted somewhere offshore and could be accessed by browser from anywhere.

Arena PLM was touted as highly secure, but the (default) behaviour was to require an email address as a username. It allowed strong passwords with an expiry date, but when my password expired I was told I could choose another one, or just continue to use the old one!

I think the security claims were based on the use of SSH for data transfers, but it seemed to me a determined person could log in because

  • The usernames were publically available company email addresses, and
  • There was plenty of time to guess a password because a lazy user wouldn't choose a new one.

It means, of course, that the use and renewal of strong passwords must be enforced.

pavium  2009-08-20 03:40:44
A: 

I've done this for b2b apps and its a real pain when a user leaves a client company an someone else is using the old deactivated email address as a login and purposely not changing it to avoid getting email from us.

We end up with password-reset email that bounces and support calls to fix things.

sal  2009-08-21 03:34:15

related questions

I ALMOST understand how email works, but I'm missing something.
Sending Email in .NET Through Gmail
MS hotfix delayed delivery.
How to send email from a program _without_ using a preexisting account?
Email SMTP validator
Maximum length of a MIME Content-Type header field?
If email is not the answer then what is?
Accessing an Exchange Server without Outlook
Recommendations for a .NET component to access an email inbox
Email queueing in php
How do I open the default mail program with a Subject and Body in a cross-platform way?
How do I send a file as an email attachment using Linux command line?
Read from .msg files
What was your biggest mistake involving programmatically sending email?
Good email service for bulk emailing
parsing raw email in php
Is there any wiki engine that supports page creation by email?
Sending emails without looking like spam
What's in your .procmailrc
Why won't Entourage work with Exchange 2007?
Can I use JavaScript to create a client side email?
E-mail Notifications
Is a "Confirm Email" input good practice when user changes email address?
MAPI and managed code experiences?
How do you make sure email you send programmatically is not automatically marked as spam?