Web site security is a very important issue to me. I find it frustrating sometimes dealing with people who operate based more on superstition and urban legends than on solid principles. Part 3 is about an experience I had with a public forum, and their justification for deviating from these guidelines.
As I explain in part 1, it is necessary and sufficient for a user to login using an email id and a password in order for a system to be secure. One need only make sure that the password is sufficiently hard to guess, appropriate to the risk of being broken into.
I basically refuse to sign up with any site anymore that requires generation of an ID that is not my email address. Most modern sites want my email address anyway to notify me of things, and to allow me to reset my password.
Many old fashioned sites (I call them old-fashioned because they are generally disappearing) require that you specify an additional user-id for that system. Of course the user-id has to be unique, and what is annoying is that often my first choice for user id is taken, and one is forced into trieal-and-error to find a unique id that is acceptable. This causes me to have many different ids for different sites, and I am required to go to the extra trouble to keep track of which ID belongs to which site. It is so much easier for me to specify my email address at each of them.
I ran into this on a support site for Moodle. I am helping a local high school set up and use this amazing teaching support system. The support forum requires a username, an email address, and a password. Some time ago, I had set up an account, but no longer remembered the username. I was prevented from create a new user, because my old account held the email address, but there was no way to get the system to send the username to the email address. It seems rather silly to be locked out of using my email address in this way.
Using a different email address, I created a new user account, and complained on that site. The response I got was another sort of superstition: people were worried that if you used your email as a login name, you would start getting a lot of spam. I was told that you can’t log in using your email address, because then everyone would see, and be able to abuse, your email address.
Here the users were confusing “login id” with the display name of the user. There is no need for a system to display the login id to other users. Similarly, there is no need to specify your display name during login.
It is true that many old-fashioned systems user your login ID as your display name. I completely agree that if you use your email address as a login id, that the system should protect your email address, and should not display it to anyone who you don’t want to have it. But the proper solution is to allow the user to specify a display name. It need not be unique: if there are two users named “Mike Johnson,” they both should be able to use this display name if they choose to, because it is possible that they are in completely different groups and may never run into each other. On the other hand, if they do run into each other, they should have to option to change the display name in any way they wish.
I complained to phpBB, the software being used by the Moodle Support Forum site. This is quite a popular software for running bulletin boards and is widely deployed. The phpBB software has an optional module to allow login by email address, but it is not a standard. The site admin has to know to install this. The installation of this module is not difficult. Instead, the real trouble is defending what you have done, and to convince others who think it will be “less secure”.
I have a lot of sympathy for these site administrators who don’t want to be accused for being lax on security. It takes a lot of confidence to say “the site does not need that to be secure”. If the site becomes compromized, it is the site administrator that most often gets the blame. There is a powerful incentive to stick to old-fashioned ideas of how the system should be secure, and requiring the user to create a new login ID has been a long part of online systems.
Of course, when accepting an email address for use as a login id, it should be verified that the user actually owns the account. Today I was registering for a new account at a site that, amazingly, did not do that. It blindly allowed you to create an account for any email address. Even stranger: it required me to verify ownership of the email if I attempted to change the email address. The system has the ability to require the user to verify ownership of the address, they simply do not use it when creating the account originally. I conclude that this is simply a sloppy programming bug.
A smart system requires only (1) an email address, (2) a password, and (3) a display name which is editable. System security is insured by the strength of the password alone. The email address should not be displayed to others, but its secrecy is not a factor in the security of the site.
Part 4 covers other odd behaviors around security I have seen.