views:

144

answers:

4

I'm deciding whether to accept a new registration using an email that already exists in the database but using a different username or to refuse it.

There are times when I forget username and/or password for a website. I then try to re-register using a different username/same email I used but often get refused by some web apps.

What is your opinion on this?

Edit: Forget this other important question...

When trying to see if username already exists in the database during registration, should I do case sensitive comparison? Should different case use create different usernames?

What about passwords? Should they be case sensitive?

Thanks!

+1  A: 

I wouldn't do it. How would you contact your user if you have multiple emails? Besides aren't you confirming email upon register? Is better to add a 'recover password' routine than allow same emails accounts. I use them as an unique identifier too.

Juparave
+3  A: 

I think requiring unique email addresses is a good idea. It allows you to reset forgotten passwords and email them to the forgetful user.

I suggest that if you want to refuse duplicate email addresses then have your users use their email address as their username.

The only reason I can think of NOT to do this is if your system might require a single person to have more than one login - for different access levels, permissions, regions, etc. It's better to design the system so that each real world person only needs a single login though.

Regarding case sensitivity: you avoid this problem by using email addresses as usernames - you can simply lowercase everything behind the scenes. Passwords should be case sensitive. Upper/lower case dramatically increases the number of characters available, which makes brute forcing and guessing passwords much harder.

Scott Saunders
How would using the same email address among 2 usernames disallow password retrieval? As long as the user controls said email, I see no problem.
Jeskl
It doesn't disallow it, but it can complicate it. If the user knows their username, then there's no problem. If they forgot their username, you can have them enter their email address, but then you must reset/resend ALL usernames or passwords with that email address, even if they've only forgotten one. Users almost never forget their email address, but they often forget usernames, especially on large systems where they end up with '2009jeski_263' because their usual username is already be taken.
Scott Saunders
And yes, passwords should absolutely be case sensitive.
Scott Saunders
"design the system so that each real world person only needs a single login" - this is very subjective. people have more than one facets to their identity (you're one person with your close friends, another person at work and yet another person at the Sunday soccer league). If the app supports any notion of social networking, it should account for that fact and provide the users the ability to have multiple facets. (While Facebook is widely successful, it fails miserably at providing granular control of which posts of mine go to which friends in my social circle)
Franci Penov
Franci Penov: Systems, including facebook, can be designed so that a single login gives you access to one or many "facets". The Role pattern describes this. It would be better to log in to facebook once and then manage who sees which posts rather than: log in, post, log out, log in to account #2, repost, logout ... Yes? Setting up multiple accounts on sites like that is a work-around for a feature that wasn't designed-in. If you're writing the application and want users to be able to do that, simply design in the feature rather than just allow work arounds.
Scott Saunders
A: 

Allow only one username per email address. I think there might be cases where it makes sense to allow multiple accounts per email address depending on your service. E.g. I'd like to have multiple twitter accounts for the same email address (e.g. one for family twittering and one for technical twitters).

  • Username or email = not case sensitive
  • Password = case sensitive

I think this is universally accepted and expected.

AtliB
A: 

Most systems don't allow same email to be shared between multiple identities. In my opinion, there are no strong arguments for such limitation, except the one @Scott Saunders pointed at - resetting password based on email only would reset password for all accounts that share the same password. However, I personally think that if the users are so engaged with your app so that they want to register twice - let them.

However, I would suggest couple of things to keep in mind with regards to emails and user identity:

  • don't use the email as a user identity/unique identifier. People tend to forget their email password or to switch their emails.
  • allow users to enter more than one email. The more ways to reach to user you have, the better.
  • enforce the uniqueness of the email only on confirmed emails. (that is, if you ever choose to enforce email uniqueness)
  • treat emails as case-insensitive. Unfortunately, there is no way to properly lowercase email addresses, that are not in your app primary culture.
  • consider carefully how you treat the dot ('.') and plus ('+') characters in an email. Some systems ignore the dot and treat [email protected] to be the same as [email protected]. And some systems threat anything after the plus as an alias (or a sub-email), thus [email protected] is the same as [email protected]. (in particular, I know of at least one system that combines the two behaviors, so that [email protected] is equivalent to [email protected])
  • do not treat emails at subdomains the same as emails at the main domain. Unfortunately, there are cases, where the emails from particular subdomain are the same as the emails from the top domain, but there's no way for you to know when this holds true.
  • and the most important one - allow users to register without providing email. This one is a bit controversial, but my take on it is that the less friction the user registration, the more chances they will get more engaged with your app. (I can't tell you how many web-sites have lost me in the middle of the registration, when it turned out I have to fill out five pages of random information...)
Franci Penov