[thelist] Usernames and Passwords

Lee Kowalkowski lee.kowalkowski at googlemail.com
Wed May 2 03:10:42 CDT 2007

On 01/05/07, Bill Moseley <moseley at hank.org> wrote:
> Email addresses are unique at any moment, but are not unique over time.
> And if you plan to keep data over time, well, they are not unique.

I think we're confusing something which is unique with something that
can belong to more than one person, either serially or in parallel,
both are possible, both are potentially problematic, but even over
time, it's still unique.  Maybe not in database terms admittely.

Unique means there's only one instance, true for an email address and
telephone number, but unique doesn't imply exclusivity.

If your system is using email address as a username, it definitely
should be unique on the database.

> The other approach, would be to only allow one email address and
> account to be active at the same time, but allow multiple email
> addresses and not active accounts.  Not sure how to enforce that in
> the database.

Make email address unique.  If you require tracability, keep the
change history on a separate table, where it is not unique.

> > I think email address alone (as a synonym for username) should be your PK.

Just to clarify, I meant instead of email+PW.

> Not primary key.  People can change their email address.

And you cannot change a primary key?  I'm sure you can.  I admit it's
not perfect.  For tracability over time, it'd make much more sense to
assign each user a serial number as PK.  But this will not be
requested during authentication, it will probably be transparent to
the user.  It will just simplify your design.

> > If someone gets their password wrong, which user is this recorded
> > against?  If you wanted to lock out a user (perhaps due to repeated
> > failed authentication attempts), which would it be?
> All.  email addresses are unique at any point in time.

We were talking about email+PW, then email address would not be
unique.  If you're saying email address is actually unique, good, I
mis-understood "email + password are the unique combination that
identifies an account", and perhaps fail to see any significant

> > I think "security is compromised anyway" is a feeble excuse for
> > storing passwords as plain-text.
> Well, I need to spend time digging up that research paper I read a few
> years back.  Their findings were that overall some tight security
> measures on the server side ended up making the system less secure due
> to the user compensating for the bother of the tighter security.

Whilst true I don't think that is relevant, not storing passwords as
plain text is tighter security that does not affect users at all.

I have seen some worthless password rules, the flagship has to be the
one where your new password must have different characters in all
positions.  Now that's just asking for trouble.

> > Yes, and people tend not to delete their email completely.  Let the
> > user choose their own password over an SSL connection.
> They can.

They can?  I'm sure the original post said their password was
generated and email to them.  Oh, they can - subsequently?!  Sorry, I
meant in the first place.  Don't generate the password and email it -
besides that's a lot more code than saving two form fields surely.
I'd rather have my users give me a password than write the routines
for generating and emailing.  Simplicitly is key.

> > > I'm not sure if that's more likely a risk than someone walking by
> > > their office and finding their "post-it" with their password written
> > > on their screen or just using their browser with the password saved.
> >
> > No, but that's not your responsibility, and should not be in your
> > arsenal of excuses.
> The user is 1/2 the security system.  You can't ignore what the user
> might do.

That is quite true.  You have to consider what your users may do as a
result of your security constraints, absolutely.  But the user is the
half that cannot be controlled (only constrained), and you are not
responsible for what they choose to do out of free will.  Sticking
post-its doesn't compromise your system, only their account.  Storing
passwords as plain text compromises your system, and all accounts.

People might keep their wallet in a shoe on the beach whilst swimming.
 "But A-ha! - It's pushed right the way down to the toe!  What
criminal mind could penetrate this fortress of security?" they might
think.  Perhaps if they hadn't fitted odour-eaters.

Still, an unusable security system is not secure.  If you had a
burglar alarm which was too difficult or onerous to operate.  It's
going to be unset more often than not.


More information about the thelist mailing list