New log-in requirements are backward, misguided, and anti-security.

[Stokestack]

Since there's no place for feedback on the forum itself, this'll go here. This post from Affinity is so opposite to the truth and good security practices that it demands a rebuttal:

Quote

Because of the recent Forum Security Breach, we have looked at how we can improve security for all users. Allowing users to log in with a display name can represent a security weakness for the community because display names are public information and malicious users may attempt to login to multiple accounts with common passwords until they find an account for which the passwords work.

Forcing people to use E-mail addresses as user IDs is an amateur-hour practice that should be avoided. You'll note that high-security institutions like banks and brokerages do not use this scheme.

It is E-mail addresses, not usernames, that populate thousands if not millions of spammers' and hackers' lists. Hackers can iterate through those lists and attempt log-ins with a dictionary of common passwords and pretty much be guaranteed plentiful log-ins.

But that's not all. The people in this particular forum may be a bit more computer-savvy than the general public, but you need to consider that when many people are confronted by a site that demands their E-mail address and a password... they're going to think they need to use their E-mail password (or they will use it out of convenience). This makes relatively insecure Web sites and forums gatekeepers to thousands of people's E-mail accounts, ripe with opportunity for identity theft and other scams.

This is an ignorant, retrograde policy that should be abandoned. I am mystified that someone thinks an Affinity-forums user ID is more important to protect than someone's E-mail account.

[Stokestack]

Of course, but they wouldn't be the log-in mechanism. Banks and other high-security institutions have your E-mail address too. But they don't have you logging in with it.

[fde101]

Apple is more security-conscious than are many of those financial institutions and they have you logging in using an email address.

Not that they are particularly security-minded, but so does Microsoft I think?

 

Whether it is a simple username or an email address makes little difference in this context as any site or service worth its salt these days is going to encrypt it in transit alongside the password, and the forums do not display the email address for others to see, so the chance of the email address leaking is really no different than the chance of some arbitrary username leaking.

Behind the scenes they would generally be stored in the same table in some database either way if they were separate, so if a hacker got ahold of one by hacking the back-end, they would probably have the other too.

 

The notion of a separate username somehow protecting your email address from spam is a false security at best.

 

A more legitimate case for not using an email address as a username seems to come from the potential for the email address to change, and the possibility of someone else being assigned that email address after you stop using it.  If you are using some email address to log into a site, and your email address changes while you are not actively using that site, then when you try to go back to that site and forget your password, if someone else has taken over the email address, the confirmation for the password change would go to them.

In and of itself this is bad, and the same problem exists even if you are using a different username than the email address - the password change confirmation would still go to the registered (now incorrect) email address, probably even listing the username so that whoever receives it then gets a big hint on how to take over your account.

It becomes a slightly bigger problem when someone tries to register for a new account using their new email address which happens to be your old one.  If they try to register using that email address but the username doesn't match, you might think that would prevent them from taking over the account as they are unlikely to try the same username you picked and it will never match up, but most systems which allow alternative usernames will accept either the username OR the email address for authentication, and those which do not, will often still have a way to "recover" your forgotten username by emailing to the registered address - so if someone gets a message that the email address is already taken when they try to register, they can still recover the username and password and take over the account.

 

In the end, this too leads to a separate username providing false security for most sites.

[Stokestack]

As I mentioned, most people's E-mail addresses are already collected on spammers' lists for easy bulk attacks, whereas this is not true for proper user IDs. Those IDs could be scraped, but not collected as easily or widely as E-mail addresses.

Apple IDs were not originally required to be E-mail addresses. And even when Apple disappointingly adopted that requirement, they didn't have to be functioning addresses. Now Apple has just thrown in the towel on sensibility and created a mess, because (as you point out) E-mail addresses change, and people think they have to create a new Apple ID as a result. And after creating the problem, Apple has publicly and huffily refused to allow account consolidation.

Apple has also had to tack on additional measures to mitigate the resulting "hacks" of accounts, which were undoubtedly compromises based on weak E-mail-address/password combos.

I'm also not talking about hacking the back end, where of course the whole user record is compromised. I'm talking about logging in with stolen, sold, or guessed credentials... with spammers' E-mail-address lists providing an excellent starting point for sites that use E-mail addresses as IDs.

The fact that usernames aren't bulletproof doesn't change the fact that forcing them to be E-mail addresses is dumb, or that the stated reasons for doing so on this site are backward and wrong. You brought up additional valuable examples of why.