Bug in login/user creation procedure

[eighty4]

Discussings on IRC revealed a bug in the login/user creation procedure
(Good work BigJibby).
You can currently login with your account email adress or the
username. But the email adress is not unique. This will cause problems
if someone creates multiple accounts with the same email. As I see it
there's two solutions to this and there's call for a vote.

1. Make email unique
2. Remove login with email

Since I'm the one starting this thread I decide that we'll be voting
+/- for option number two. I.e. +1 is voting for removing email as a
login option.

The usual voting rules... If someone figures out a third solution I
guess we'll have to revote.

I'm +1

[David Latapie]

2009/12/10 eighty4 <m...@eighty4.se>:

> Since I'm the one starting this thread I decide that we'll be voting
> +/- for option number two. I.e. +1 is voting for removing email as a
> login option.
>
> The usual voting rules... If someone figures out a third solution I
> guess we'll have to revote.

-1

Emai-as-login is a growing trend that I consider useful.

--
</david_latapie>
http://david.latapie.name/ U+0F00
Proper Preparation Prevents Poor Performance
On ne fait qu’une seule première impression

[Owen Winkler]

+1 -- remove email as a login method

Doing so increases security, since you can create a username with a
displayname that would obscure the username from common view. Using
email as a login increases a malicious user's chances of guessing a
valid login.

Owen

[Scott Merrill]

-1.

I believe I'm the one who added support for login by email originally.
I think, at that time, email was required to be unique, which made
login-by-email very easy. I think that's the correct approach,
personally.

> --
> To post to this group, send email to habar...@googlegroups.com
> To unsubscribe from this group, send email to habari-dev-...@googlegroups.com
> For more options, visit this group at http://groups.google.com/group/habari-dev
>

[Sean T Evans]

David Latapie wrote:
> 2009/12/10 eighty4 <m...@eighty4.se>:
>> Since I'm the one starting this thread I decide that we'll be voting
>> +/- for option number two. I.e. +1 is voting for removing email as a
>> login option.
>>
>> The usual voting rules... If someone figures out a third solution I
>> guess we'll have to revote.
>
> -1
>
> Emai-as-login is a growing trend that I consider useful.
>

I'd like to suggest another option that puts the burden on us, as the
Habari development community rather than the user:

Change the user creation system so that if a person attempts to create
an account using an e-mail already in the DB they are presented with a
dialog that says something along the lines of "An account with that
e-mail address already exists. If you wish to create another user with
the same e-mail address, the new user will not be able to login using
the e-mail address. Do you wish to continue?"

This allows the user to:
A) Decide they're okay with only logging in via username
B) Use a different e-mail address
C) Realize they've already established an account on the site and login
rather than creating a new user.

In response to Owen's comment, it might be wise to add an option
(perhaps via a plugin) to disable login-by-email for those that are
concerned about that potential attack vector. For me, my username is
likely easier to determine than my e-mail address so it's not a
significant concern for me.

--
Sean T. Evans

[David Latapie]

2009/12/10 Scott Merrill <ski...@skippy.net>:

> -1.
>
> I believe I'm the one who added support for login by email originally.
> I think, at that time, email was required to be unique, which made
> login-by-email very easy. I think that's the correct approach,
> personally.

I already voted so will only add input here.

Our society of information requires us to memorise way too much
information. What is my nick here? The usual one? Well, maybe I took
this one here because I remember it was taken on this site - or was it
on the other one? No, passwords managers are NOT a solution - I
stopped counting how many times this failed me.

OTOH, you email is yours and yours only. This is that one, not
the-same-as-usual-but-with-a-zero-because-it-was-already-taken-or-mabe-two.
Plus, this is one less thing to memorize (email is something one may
remember even better than credit card code AND remembering a nick is
not necessary anymore). One email adress to rule them all, both on
joesblog.com and froglovers.com.

Long live the One-True-Email! :)

(I won't post more on this, I gave my point of view).

Sean: your idea would then lead to some people being able to log in in
a certain way and other in an other way. Granularity, double standard.
Nice intent, though.

[Caius Durling]

On 10 Dec 2009, at 21:18, eighty4 wrote:
> Discussings on IRC revealed a bug in the login/user creation procedure
> (Good work BigJibby).
> You can currently login with your account email adress or the
> username. But the email adress is not unique. This will cause problems
> if someone creates multiple accounts with the same email.

> 2. Remove login with email

-1 for Remove login with email.
+1 for making it unique.

Make it unique instead. If you want two accounts then get another email. Works for the rest of the web world, I don't get why we have these (to me) nitpicking discussions over issues many programmers solve daily with a few lines of code and never question again. Plus as Sean says my email is easier for me to remember than a username.

Why can't we have a combined username/email field where both values are unique? Seems to be the trend for apps that don't use either as the single handle. Best of both worlds, no security risk in the current way.

C
---
Caius Durling
ca...@caius.name
+44 (0) 7960 268 100
http://caius.name/

[David Latapie]

2009/12/10 Caius Durling <ca...@caius.name>:

> -1 for Remove login with email.
> +1 for making it unique.

This is another proposal. Eighty4, you should either consider this
proposal invalid or reset (or even postpone) the vote.

[Michael C. Harris]

2009/12/11 David Latapie <david....@gmail.com>:

> 2009/12/10 Caius Durling <ca...@caius.name>:
>> -1 for Remove login with email.
>> +1 for making it unique.
>
> This is another proposal. Eighty4, you should either consider this
> proposal  invalid or reset (or even postpone) the vote.

A vote should be a last resort anyway. We should discuss things and try to
reach a consensus.

Personally, on my blog I don't want login by email. I can imagine I might want
it for clients. Seems to me it should be a plugin.

--
Michael C. Harris, School of CS&IT, RMIT University
http://twofishcreative.com/michael/blog
IRC: michaeltwofish #habari

[rick c]

+1 for removing login by email

Many people will have the desire to have more than one account on
their blog, one for administration and one for day to day blogging,
Just like you don't log into your desktop with full admin rights for
day to day usage, many people won't want to log into their blog with
full admin rights just to write a post or manage comments. At the very
least, logging in as a normal user when you don't have admin
activities to do cuts down on the chance of accidently making
unintended changes to the site.

Easy as it is to say to get another email, it is a pain. Either I have
to go through setting one up with my ISP, or create yet another
throwaway email with a web provider who has yet another way to collect
data on me. In each case, it is yet another email account i have to
maintain. Plus, it is yet another piece of information I have to
remember, so it is of no use in limiting the amount of information we
are required to know about ourselves.

Rick

[David Latapie]

Hi,

2009/12/11 rick c <rickc...@gmail.com>:

> Many people will have the desire to have more than one account on
> their blog, one for administration and one for day to day blogging,
> Just like you don't log into your desktop with full admin rights for
> day to day usage, many people won't want to log into their blog with
> full admin rights just to write a post or manage comments.

Do not confuse "many power users or even alpha geeks which presently
constitutes the bulk of Habari users" and "many users"

Most people, even those running a self-hosted blog, could not care
less about separating sudo-ing and routine taks. The delusion that
most people, or even a sizable minority of self-hosted web editors
comply by this (yet-useful) rule never keeps from striking me.

[Ali B.]

+1 for removing logging in by email. Usernames are more secure. As appealing as logging in by email may seem,creating a privately known username making it twice as heard to guess the login information.

--
To post to this group, send email to habar...@googlegroups.com
To unsubscribe from this group, send email to habari-dev-...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/habari-dev

--
Ali B./dmondark
http://awhitebox.com

[rick c]

On Dec 11, 1:49 am, David Latapie <david.lata...@gmail.com> wrote:
> Hi,
>
> 2009/12/11 rick c <rickcock...@gmail.com>:

>
> > Many people will have the desire to have more than one account on
> > their blog, one for administration and one for day to day blogging,
> > Just like you don't log into your desktop with full admin rights for
> > day to day usage, many people won't want to log into their blog with
> > full admin rights just to write a post or manage comments.
>
> Do not confuse "many power users or even alpha geeks which presently
> constitutes the bulk of Habari users" and "many users"
>
> Most people, even those running a self-hosted blog, could not care
> less about separating sudo-ing and routine taks. The delusion that
> most people, or even a sizable minority of self-hosted web editors
> comply by this (yet-useful) rule never keeps from striking me.
>

Even if this were true, and it may well be given that operating
systems today generally enforce the separation rather than relying on
users to voluntarily to do so, why make it harder for a user to apply
this "yet-useful" rule, and thus decrease the likelihood that they
will do so?

Rick

[David Latapie]

2009/12/11 rick c <rickc...@gmail.com>:

> why make it harder for a user to apply
> this "yet-useful" rule, and thus decrease the likelihood that they
> will do so?

Touché! Well, I have nothing to answer to that.

[Sean T Evans]

Ali B. wrote:
> +1 for removing logging in by email. Usernames are more secure. As appealing
> as logging in by email may seem,creating a privately known username making
> it twice as heard to guess the login information.
>

Is there any evidence to back up this assertation? It only holds true if
you use A) a unique unique username, or that every site you use that
username on offers the option of having a different display name and B)
the same e-mail address for each site.

In my case, I tend to use the same username, but different e-mail
addresses for different sites. Therefore, in my case at least, removing
the option to login by username and _only_ allowing login by e-mail
would be more secure.

As I've advocated before, I think instead of us making assumptions about
how users want to interact with the software, we should, when we have
the opportunity take the option that gives the most flexibility. Keep
the core simple and open, and allow customization via plugin.

--
Sean

[eighty4]

"A vote should be a last resort anyway. We should discuss things and
try to
reach a consensus. "

True, but arguing in #habari we didn't seem to reach a consensus and
people asked for a vote. And given that many responses here it seems
it wasn't that easy to reac a consensus here either :)

The reason I votet +1 is because I _really_ hate how WP is handling
this. A MU install demands different emails for every user. Sure you
can use a gmail and use +1,+2 and so on but it just feels stupid.

"Our society of information requires us to memorise way too much
information. What is my nick here? The usual one? Well, maybe I took
this one here because I remember it was taken on this site - or was it
on the other one?"

Habari is not, and will probably never be, a community site. Your nick
will most likely always be free.

"Change the user creation system so that if a person attempts to
create
an account using an e-mail already in the DB they are presented with a
dialog that says something along the lines of "An account with that
e-mail address already exists. If you wish to create another user with
the same e-mail address, the new user will not be able to login using
the e-mail address. Do you wish to continue?"

This allows the user to:
A) Decide they're okay with only logging in via username
B) Use a different e-mail address
C) Realize they've already established an account on the site and
login
rather than creating a new user. "

That introduces two different flows a user can follow and could
potentially confuse users However if your email is already taken it's
most likely already used by you :). And the user that cannot
understand that (s)he can't use the same "identifyer" for multiple
accounts will probably not be able to create an account anyway...

Counting the votes we're +1 in total with at least one new suggestion.
I suggest we close this vote and let BigJibby code whatever solution
he feels like. How's in favor? I vote +1 on that...

[Caius Durling]

On 11 Dec 2009, at 18:24, eighty4 wrote:

let BigJibby code whatever solution he feels like.

The following springs to mind, "It's easier to ask forgiveness than it is to get permission"

[David Latapie]

2009/12/11 eighty4 <m...@eighty4.se>:

> Habari is not, and will probably never be, a community site. Your nick
> will most likely always be free.

So you will have a nick for Habari and a email for something else? You
may reply that presently, nick is a much more authentification method
than mail, and you would be right. Maybe in five years, if the
momentum moves to email login. But this is just food for thought.
Basically, I have nothing solid to reply to you :)

> he feels like. How's in favor? I vote +1 on that...

:)

+1

[Owen Winkler]

On 12/11/2009 12:24 PM, Sean T Evans wrote:
>
> Is there any evidence to back up this assertation? It only holds true if
> you use A) a unique unique username, or that every site you use that
> username on offers the option of having a different display name and B)
> the same e-mail address for each site.
>
> In my case, I tend to use the same username, but different e-mail
> addresses for different sites. Therefore, in my case at least, removing
> the option to login by username and _only_ allowing login by e-mail
> would be more secure.

Of course the security of either option changes when you focus on one
use case or another. Yours may be directly the opposite of mine, making
the alternative more secure. I think it's worthwhile to consider in
abstract both what is more secure empirically and is most
straightforward to implement (therefore more secure by being a simpler
implementation).

Assuming a user wanted the added security of a less easily guessed
username, and the two options available were either a username that
could be any combination of characters (including an email address) or
an email address absolutely, I think it's obvious that the range of
possible values that the former option allows makes it the superior
choice. (This is my argument against enforcing password "strength" by
insisting on length and minimum character-class inclusion, since doing
those things ultimately results in cryptographically fewer absolute
potential options.)

There is also a potential case to be made that allowing use of an
arbitrary string as a login may allow more flexibility in passing values
to an external (pluggable) authentication system.

Regarding implementation, making the email address unique is a database
change. It's a structural change, which must be done across database
engines. As we've seen from doing this in the past, it's non-trivial.
It also may cause some issues for installations that already have
mulitple user accounts using the same email address, since simply
setting the field to be row-unique will generate errors on those
duplicate rows; errors that must be accounted for. We would likely need
to provide a way for users to specify replacement emails for those rows
that generate errors.

Conversely, removing the ability to log in with an email address amounts
to reducing the core code size by 6 lines, and doesn't alter the
database (see attachment). If you still want to use your email address
as a username, I suspect you'll still be able to do that -- it'll just
be stored in both the username and email fields, and you'll need to set
a clean displayname in your profile so that your email address doesn't
show up as the author of your posts.

Blah blah blah. Etc. Ad infinitum.

> As I've advocated before, I think instead of us making assumptions about
> how users want to interact with the software, we should, when we have
> the opportunity take the option that gives the most flexibility. Keep
> the core simple and open, and allow customization via plugin.

This not an issue solely about flexibility, though. It is also not an
assertion based on how we expect users want to log in. There is a hint
of security at play. We are talking about logins, after all.

In cases where security is an issue, I advocate that we choose a default
that provides the most security, and allow the user to add plugins that
erode that security of their own volition. That other sites feel that
email addresses are sufficiently secure to use as usernames should have
little bearing on what we consider secure. If other blogging apps
jumped off a bridge, etc.

All of that said, I think Habari's landscape has just had another
woodshed erected. As heard elsewhere in the thread, someone should just
code something (see patch). I suspect the easiest implementation will
probably be the best one for users, too.

Owen