Jump to content

New login using email address

Recommended Posts

Notification is unclear regarding the change to email address login names.  If only the login name is shown,

it won't take much to complete email addresses when a scammer just needs to fill in gmail.com or Yahoo.com etc...


I did try to activate my login via Facebook, but it currently is not working.   


What security will we have if anyone can find our complete email address?

Link to comment
11 minutes ago, Mark Shaw said:

. . . What security will we have if anyone can find our complete email address?

There are lots of sites that use your email address for your login ID. Seems to be more all the time (in the old days the user ID had nothing to do with your email). That is just a fact of life, so assume that your login ID (i.e. email) is known to everyone. Your protection is having a “good” password and, if the site supports it, two factor authentication.


In this context a good password has the following characteristics: It is long, it is totally random, it is unique and different for each and every site and account you have. Unless you are an idiot savant with perfect memory and the inhuman ability to create totally random passwords, the only way to do that is to use a password manager/wallet of some sort.


Having each site and account use a different password helps keep your accounts safe: Sites are hacked all the time. You have no control over that. Sites vary on how well the protect your password(s) when they are hacked, you must assume the worst case for the site’s setup and administration. Thus the only safe thing is to assume that every account/site will at some time be hacked and the passwords for that site will be compromised. If this AACA site is compromised you don’t want your email and all your banking, etc. accounts to be compromised too.


Many sites allow or require you to have saved answers to things like the city you were married in. The concept is that if you forget your ID and/or password their agent (or computer) can verify who you are and get you back into your account. This is rife for abuse by people who use “social engineering” to find out or guess the answers to all those typical questions. First, don’t share that type of information on any social media. Second, make up bogus answers to all those questions. With different bogus answers for each account/site. Hard to remember? Of course, that is why you also store that information away in your password manager app/wallet too.


I happen to use KeePass because it is open source and available on all platforms. There are a number of commercial products as well if you prefer to go that way. Some have good integration with browsers (or are even built into browsers). Some, like most implementations of KeePass, require you copy and paste between the password manager and the browser or app you are logging in with.

Link to comment

I don't see how they would be able to find the email address that easily. In fact, If I have been reading the threads correctly, that is the whole point.


Lets say my forum handle is "bloo", because it is, and lets say my password to log into the forum is "s0mepassword". It isn't, but bear with me.


Additionally, lets say my email address is "whatever@gmail.com". That isn't correct either, but will do for an example.


Right now, to log into the forum, I type bloo as the username and  s0mepassword as the password.


The forum software has my email address, but does not publish it. The software just uses it to alert me if someone mentioned me, or responded to a thread, or whatever. It does so by sending me email.


After the change, I will type whatever@gmail.com as the username and s0mepassword as the password  in order to log into the forum


Nothing else changes. My forum handle once I am logged in will still be bloo, and whatever@gmail.com will still be unpublished by the software.


Why is this better? Because everyone in the world who has ever read this forum, logged in or not, knows the username "bloo" because it is my forum handle. They only have to guess the password "s0mepassword" to log into my account.


After the change, they will have to guess both the email address whatever@gmail.com and the password s0mepassword at the same time to log into my account.


Since whatever@gmail.com is not published by the software, someone trying to illicitly log into my account probably doesn't have it. Anyone who has ever had a PM from me has my real email address and other contact info, unless I forgot once somewhere along the line. Generally speaking, a bunch of regular posters here have it, but the whole world does not.


I don't quite understand how any of this would help somebody guess your email address. If your email address, unlike mine, is already published all over the Internet, then this isn't much of a security improvement, but I don't see how it could be worse either.


I don't know about the Facebook login. As someone who worked in IT for a while, I consider a common login over multiple sites, no matter who it is with, to be an extremely bad idea, and I will probably never do it. Lots of people do it though, and I am sure Peter will have the answer.


My best guess is that if you are using Facebook rather than logging into the forum directly, you are not typing the username anyway, and you probably won't see the change at all.

  • Like 1
  • Thanks 1
Link to comment
15 hours ago, Mark Shaw said:

If only the login name is shown,

it won't take much to complete email addresses when a scammer just needs to fill in gmail.com or Yahoo.com etc.

 I really don't want to make it easy for anyone to get my email address. 

So, will the forum software show the email user name?  

Please clarify...

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...