: When using email as login name, what precautions should I take for registration? When your registration form is using a user ID that is the same as their email address, I'm somewhat concerned
When your registration form is using a user ID that is the same as their email address, I'm somewhat concerned over spammers using the "User name is in use" as a means to validate the existence of an email, or if there are other concerns I need to know of for validation sake (for instance, converting CaMeLcAsE to lowercase seems to be the status-quo despite the RFC spec).
This question is not about OpenID.
More posts by @LarsenBagley505
3 Comments
Sorted by latest first Latest Oldest Best
This is a non-issue if you return the same message for both of the following cases:
Invalid login/invalid pass
Valid login/invalid pass
It is generally a bad idea to tell a user that his login is valid but his pass is invalid: doing so allows an attacker to find valid logins.
Sorry, my mistake - if this is just a concern for registration then why not apply the same principle (share no information regarding account existence) and just let users re-register the account with the e-mail provided (chances are they've forgotten their password so instead of sending the new registration e-mail just send an e-mail with a link to reset the account password).
You should make sure the email address is not only real but in the control of the registrant. Send an email to that address with an activation link inside. Make visiting that link a requirement for activating their account. That way you know the email is both real and in the control of the user.
One check you may want to consider making is checking the DNS records of the email address's domain name to make sure MX records are set up for that domain. This helps to weed out fake emails account like something@asfasdfasdf.com. Just keep in mind that it is possible to setup your mail records in such a way that this check will fail for some legitimate email addresses. I've never had that problem but it is something to keep in mind.
They can only tell if it's a valid email address if that person has registered with your site, so it all depends on how popular your site gets.
I don't think that converting it to camelcase will change anything as they can easily convert to lower case or upper case if necessary.
Have you thought of putting a captcha on the site? Google's ReCaptcha is always a good one.
Update
You could put a "flipper" around the captcha code (and the code that validates it).
See how Flickr and Forrst do it
Terms of Use Create Support ticket Your support tickets Stock Market News! © vmapp.org2024 All Rights reserved.