What are the pros and cons of using an email as a username? [closed]

Answer 1

When you use Email addresses, it's easier for a member to change their username, for example when pwng0d69 wants to be known as Jon Skeet. However for each site that asks for my email address, personally I cringe at yet another source of potential spam.

Use Open ID :)

Answer 2

We used Arena Solutions 'Product Lifecycle Management' software before a change in company ownership mandated a change. It was one of those deals where all your sensitive company data is hosted somewhere offshore and could be accessed by browser from anywhere.

Arena PLM was touted as highly secure, but the (default) behaviour was to require an email address as a username. It allowed strong passwords with an expiry date, but when my password expired I was told I could choose another one, or just continue to use the old one!

I think the security claims were based on the use of SSH for data transfers, but it seemed to me a determined person could log in because

• The usernames were publically available company email addresses, and
• There was plenty of time to guess a password because a lazy user wouldn't choose a new one.

It means, of course, that the use and renewal of strong passwords must be enforced.

Answer 3

Another thing to remember is that if other users can also see the "username", you shouldn't use mail addresses due to privacy issues.

Answer 4

OpenID and OAuth .....It just appears better. Even less users to manage for them and it makes migrating in one place easier on a change.

Yes, you have to be careful. I would insist that the backup email address (an additional profile field) is different than the email address they are using for the user. Many systems also have some other fields that then can use to authenticate themselves if things get really hairy. At this point though, it would frequently require a tech support call.

Depending on the type of system, using email may be a security vulnerability. I know your email address, I don't know what you might put into a username prompt. If being able to easily guess a username is an issue, then I would not use email address.

Answer 5

I believe the cons outweigh the pros where security is concerned. Many companies recycle email addresses, hence, if a user no longer uses an email address (deleted his/her email account), it MIGHT be recycled back for any other person to use.

In that case any other person may receive periodic correspondence from your organization. This lets the new user know that the previous user of the account used to have a login with your organization. If you use simple email based password resets, without extra checks such as security questions, then all they need to do is recover the password using the email address they now own and they have access to that person's account.

I hope you are not programming for a bank. USBank.com uses a username and not a email. I also have an account with a credit union and they don't use email either but instead use account numbers, which they never recycle.

If security is the priority, never use email.

Answer 6

Email makes a good username as long as you provide a means for changing the email address. LinkedIn provides this as you create an account with an email as the username. They also allow you (once logged in) to change the primary email address which then changes your username to be that email address.

As long as you do something like this then you should be all set.