[thelist] Usernames and Passwords
Ken Snyder
ksnyder at coremr.com
Tue May 1 10:58:08 CDT 2007
Lee Kowalkowski wrote:
>> Email addresses are not
>> unique over time, so email cannot be unique in the database, so use
>> unique( email, password ) instead.
>>
>
> Is anything unique over time? (Rhetoric, I think...) People who
> forfeit their [important] email addresses should understand the
> consequences. I think your system would be far simpler if you
> dismissed this assumption.
>
>
I agree with Bill. My wife became the victim of email address
recirculation last month.
She was helping a computer-illiterate relative create an Ebay listing.
My wife first created a yahoo email account then used it to create an
Ebay account. Ebay apparently uses email as a unique identifier; the
problem is that the email address had been reclaimed by yahoo after a
period of non-use. When Ebay sent the confirmation to the yahoo address
to "confirm" the account, my wife saw an "account confirmed" message for
another Ebay account! It appeared to be a glitch: my wife confirmed a
different account and had no access to Ebay under the username she
chose. After a tiring three-day hassle, Ebay finally explained that my
wife would need to create another yahoo mail account and another Ebay
account.
Although Ebay could have remedied the situation by some better
application logic, the heart of the problem is that email addresses are
not unique over time.
It is true that requiring a unique email+password combination is not
much better; in fact, there is the possibility (albeit remote) that one
user would access another user's account after mistyping their
password. It seems like the only fool-proof way is to require a unique
username, but apparently Bill is trying to get away from that for this
project.
Anyway, just wanted to share my story on the woes of email address
recirculation.
--Ken Snyder
More information about the thelist
mailing list