User Security

[Dog Cow]

2. User login via Email address

There goes the option to allow multiple users to have the same address.

Depends on the authentication method doesn't it. But I really don't see the use in it anyway.

What other features are in phpBB 3 which you don't see the use for?

[bobtheman]

The memberlist is fine, I'm sure the new style will have a much improved UI but essentially the purpose will remain the same, Is there a need to change it? IS there something 10 times better it can be replaced with? Discuss what exactly you would want in the new memberlist.

Email isnt much of a bad idea, mind you though its still obtainable.

I think the only need to change the member list, besides listing usernames for security reasons, is for usability and appearance. Seems impractical for a community based software to search for users though one large list by using filters... member list should reflect the updates of the friends management system and be more user friendly. Yes the description is vague but the concept is a common agreement that the majority can relate to.

Dog Cow, maybe we could discuss the necessity or lack of multiple users using the same email address, is this common, and should we continue to support this feature compared against having users authenticate via email.

If we changed to authentication with email, and we wanted to continue to support this feature, i can think of a few easy fixes.
1. Not allowing users under the same email to have the same password allowing the password to determine what user is logging in
2. When logging in with a shared email account where multiple users are present there could be more information requested like the username

[ameeck]

bobtheman: Those fixes might be easy, but have many drawbacks.

I see you have a lot of suggestion concerning the memberlist. It isn't directly related to this topic, do you think you would create an initial document which we can discuss?

[Nelsaidi]

If we changed to authentication with email, and we wanted to continue to support this feature, i can think of a few easy fixes.
1. Not allowing users under the same email to have the same password allowing the password to determine what user is logging in
2. When logging in with a shared email account where multiple users are present there could be more information requested like the username

User changes password, new password = "abc123" - Error, "existing user has this password" :/ - Having such a multi email woul;d not work, you'd have to have a unique salt/encrypt each password, but how do you know which? It isnt much of a good idea tbh - Login by email then email must be unique.

[bobtheman]

i guess we could look into, having users share email address's with multiple usernames... is this common should we continue to support it and would changing stand to benefit?

[Nelsaidi]

Me thinks pretty much all users will each have a unique address unless they create a second account as a replacement, etc.

Think about which is easier to type, nelsaidi or [email protected] ? - Security will be little enhanced, having a password like abc will be just as vulnerable in both scenarios.

But one thing I'm thinking surely the different method can be easily created/modified - To change from email to this shouldnt be difficult, likewise from a logon name to username

[Dog Cow]

Think about which is easier to type, nelsaidi or [email protected] ?

Good point. As an admin, I don't use auto-login, so I like not having to type in a long username to get in to my site. In fact, I even changed the login script so it will accept a user ID too. I just type '2', a tab, my password, Return, and I'm in!

[Kellanved]

The option to have a different login name is almost certainly in. It might make its entry as a 3.1 auth plugin, but that's pending at the moment. For 4.0, this is a far too specific feature request at this point in time, as we are primarily concerned about the high-level architecture.