[thelist] Usernames and Passwords

[Ken Snyder]

Lee Kowalkowski wrote:
>> Email addresses are not
>> unique over time, so email cannot be unique in the database, so use
>> unique( email, password ) instead.
>>     
>
> Is anything unique over time?  (Rhetoric, I think...)  People who
> forfeit their [important] email addresses should understand the
> consequences.  I think your system would be far simpler if you
> dismissed this assumption.
>
>   
I agree with Bill.  My wife became the victim of email address 
recirculation last month.

She was helping a computer-illiterate relative create an Ebay listing.  
My wife first created a yahoo email account then used it to create an 
Ebay account.  Ebay apparently uses email as a unique identifier; the 
problem is that the email address had been reclaimed by yahoo after a 
period of non-use.  When Ebay sent the confirmation to the yahoo address 
to "confirm" the account, my wife saw an "account confirmed" message for 
another Ebay account!   It appeared to be a glitch: my wife confirmed a 
different account and had no access to Ebay under the username she 
chose.  After a tiring three-day hassle, Ebay finally explained that my 
wife would need to create another yahoo mail account and another Ebay 
account.

Although Ebay could have remedied the situation by some better 
application logic, the heart of the problem is that email addresses are 
not unique over time.

It is true that requiring a unique email+password combination is not 
much better; in fact, there is the possibility (albeit remote) that one 
user would access another user's account after mistyping their 
password.  It seems like the only fool-proof way is to require a unique 
username, but apparently Bill is trying to get away from that for this 
project.

Anyway, just wanted to share my story on the woes of email address 
recirculation.

--Ken Snyder