Possible log-in change - feedback and votes please

We are thinking of forcing log-in by email address rather than visible user name. This should cure t

  • an unacceptable inconvenience

    Votes: 3 5.0%

  • slightly irritating

    Votes: 7 11.7%

  • no problem

    Votes: 42 70.0%

  • sesame honey baklava

    Votes: 4 6.7%

  • unfair to spambots

    Votes: 4 6.7%
  • Total voters
    60
Status
Not open for further replies.
bubba

bubba

Administrator
Echoing a similar topic started by Toby on ukbouldering:

Bubba thinks this is the way forward. Anyone have any concerns or problems? All registered users already have email addresses registered at the site - you can find yours at your profile.

An obvious problem is infrequent users who aren't aware of the change in procedure and have forgotten their registered email address. This can obviously be solved by a manual process (email the admins) but some people may not be arsed ...
 
bubba

bubba

Administrator
You can't / shouldn't be sharing an email address.

By that I mean you can't register two profiles with the same email address - the forum won't let you.
 
S

SpeleoTrog

Member
Like Bubba said on the forum woes thread, if you use a decent password manager like LastPass then the change won't affect you anyway.
 
Hughie

Hughie

Active member
bubba said:
You can't / shouldn't be sharing an email address.

By that I mean you can't register two profiles with the same email address - the forum won't let you.
Click to expand...

But it does......
Just done it.
 
bubba

bubba

Administrator
Really? Are you sure?

I've just tried to register another account using the email address in use on this one and it wouldn't let me.

I then tried to change another already existing account to use that email address and it also wouldn't let me.

Please let me know how you got round the checks, and the two profiles involved. I've checked your profile and there's only one user using your email address.





 
bubba

bubba

Administrator
Also, it'd be interesting to hear from those who have voted for "unacceptable inconvenience".  Presumably if you have chosen this option then if we implement these changes you will no longer be using the forums.

Is this because you haven't been repeatedly logged out by bots, don't care that loads of other people have been, or just can't be bothered typing a different series of characters in order to gain access? Or is it something else?
 
D

dunc

New member
bubba said:
Is this because you haven't been repeatedly logged out by bots, don't care that loads of other people have been, or just can't be bothered typing a different series of characters in order to gain access? Or is it something else?
Click to expand...
Sounds about right.
I'm all for the changes and can't see why it would be an inconvenience in the slightest!
 
Les W

Les W

Active member
But unless you log on at a shared computer, you only need do it once and let it remember and there is no further inconvenience. Its a no brainer for me.
 
droid

droid

Active member
Les W said:
But unless you log on at a shared computer, you only need do it once and let it remember and there is no further inconvenience. Its a no brainer for me.
Click to expand...

Not always.

Not for me, anyway. But logging in manually takes seconds, only a slight inconvienience.
 
JasonC

JasonC

Well-known member
bubba said:
Bubba thinks this is the way forward. Anyone have any concerns or problems? All registered users already have email addresses registered at the site - you can find yours at your profile.
Click to expand...

- but we could still log in and stay logged in, I take it ?  If so, then no problem whatsoever.

Actually it wouldn't be a big deal even if we had to log in each time.  Decent browsers allow you to remember login credentials for a page, so when you've done it once, it's only a click to log in subsequently.
 
bubba

bubba

Administrator
The only difference to how things are now is that when you actually have to login to the forum, instead of typing your username in the "username" field you'd type your email address. Nothing else changes.

The bots are logging people out because they have a look at the forum, collect usernames from posts and then attempt to log in as that user by trying to guess their password. This logs the real user out.

If the new system is implemented this will never happen. The bot will attempt to log in using the username, but as the forum won't recognise that as a valid login attempt (unknown user), the real user cannot be logged out.
 
Elaine

Elaine

Active member
I'm happy to do whatever is necessary to log on - although if I have a different email address to Hugh I hope you are able to let me know what it is! As I don't know.
 
AndyF

AndyF

New member
I don't mind , you guys have to do what is best, but isn't it simpler to just not log out a user on a failed login attempt?

I suppose though, doing as you propose reduces the risk as a successful spam-bot login where people have used a poor password (e.g. their username!)



 
bubba

bubba

Administrator
Elaine said:
I'm happy to do whatever is necessary to log on - although if I have a different email address to Hugh I hope you are able to let me know what it is! As I don't know.
Click to expand...

You can check by looking in your profile at "account settings".

It's a pretty rare situation where two people only have one email address between them - don't you have a webmail account somewhere?
 
bubba

bubba

Administrator
AndyF said:
isn't it simpler to just not log out a user on a failed login attempt?
Click to expand...
You're allowed three incorrect login attempts. After that you get sent to the password reminder screen.

This also has the side-effect of logging you out elsewhere. I guess that the SMF designers made the decision that if you can't remember your password then you shouldn't be logged in in the first place! This is a fair assumption but the decision was probably made before these bots were common - it's possible that things may change in SMF 3.0 but that's going to be years away so we have to work with what we have.

There is the option to increase the threshold of incorrect login attempts but that wouldn't really make any difference as these bots plug away 24/7.
 
graham

graham

New member
Les W said:
But unless you log on at a shared computer, you only need do it once and let it remember and there is no further inconvenience. Its a no brainer for me.
Click to expand...

Yup.
 
Status
Not open for further replies.
Top