使用电子邮件地址作为用户ID的优缺点是什么? [英] What are the pros and cons of using an email address as a user id?
问题描述
我正在创建一个需要注册/身份验证的网络应用程序,我正在考虑使用电子邮件地址作为唯一的用户ID。这是我所看到的利弊(更新为回应):
PROS
-
在注册期间填写一个字段(只是电子邮件地址,密码和验证密码)。我是简约注册的大粉丝。
-
您不必担心自己最喜欢的用户名已被使用 - 您是唯一一个使用您的用户名电子邮件地址。 (感谢 TStamper )
CONS
-
每次登录时,用户有更多的键入。 / p>
-
如果用户想要多个帐户怎么办?他们需要另一个电子邮件地址。 (我甚至希望用户能够创建多个帐户?)
-
容易让潜在的攻击者猜测(如果他们知道目标的电子邮件地址,他们知道登录ID)。 (感谢 Vasil )
-
用户可能会被诱惑使用与他们用于他们的电子邮件帐户相同的密码,这是不好的安全性。 (感谢托马斯)
-
如果您更改电子邮件经常发生地址,可能很难记住在长时间中断之后您曾经注册过一个站点的地址。 (感谢软件猴子)
-
A黑客可能会垃圾邮件注册表单,并使用已经采取电子邮件的响应来生成有效的电子邮件列表。 (感谢大卫)
-
不是每个人都有电子邮件地址。 (感谢尼古拉斯)
如果我使用电子邮件身份验证,我将提供一种机制,以便在用户更改地址时更改该机制。在这种情况下,用户不会将内容发布到公共网站,因此不需要单独的用户名来保护电子邮件地址(但是其他网站需要考虑)。
另一个选择是实现OpenID(这是一个其他的争论)。
这似乎适用于Google,但是他们的服务是紧密集成的。我在分析中错过了什么?你有什么建议?有没有人有经验分享?
FINAL EDIT
你的回应我已经决定使用电子邮件作为ID,但是在注册后可以创建登录用户名。这允许在保持注册尽可能短的同时有一点灵活性。它还可以防止用户更改电子邮件地址时出现问题(他们只需使用用户名登录并进行更新)。我还将实施防止强制电子邮件地址退出注册和登录系统的方法(主要是经过反复尝试后的冷静期)。
我倾向于不喜欢亲/ conㄧlists,而是试图考虑好处和挑战。
挑战:
有些用户会试图从他们的ISP使用他们的电子邮件地址。只有连接到电子邮件,对于在更改ISP之前,忘记在所有已注册的网站上更新电子邮件的用户可能很难。
相反:
您应该考虑允许用户提供多个地址以及用户选择的ID,然后让用户决定他们想要做什么。也许也考虑允许用户提供一个OpenID帐户。
I'm creating a web app that requires registration/authentication, and I'm considering using an email address as the sole user id. Here are what I see as the pros and cons (updated with responses):
PROS
One less field to fill out during registration (it would just be email address, password, and verify password). I'm a big fan of minimalistic registration.
An email address is easier to remember. (thanks Mitch, Jeremy)
You don't have to worry about your favorite username being taken already - you're the only one who uses your email address. (thanks TStamper)
CONS
User has more to type every time they log in.
What if a user wants multiple accounts? They'll need another email address. (Do I even want a user to be able to create multiple accounts?)
Easy for a potential attacker to guess (if they know the target's email address, they know the login id). (thanks Vasil)
Users may be tempted to use the same password they use for their email account, which is bad security. (thanks Thomas)
If you change email addresses frequently, it may be difficult to remember which address you used to sign up for a site after a long hiatus. (thanks Software Monkey)
A hacker could spam the registration form and use "email already taken" responses to generate a list of valid emails. (thanks David)
Not everyone has an email address. (thanks Nicholas)
If I went with email as id, I would provide a mechanism to allow it to be changed in the event a user changes address. In this case users would not be posting content to a public site, so a separate username won't be necessary to protect the email addresses (but it is something to consider for other sites).
Another option is to implement OpenID (which is a whole other debate).
This seems to work for Google, but their services are tightly integrated. What have I missed in my analysis? Do you have any recommendations? Does anyone have experiences to share?
FINAL EDIT
Thank you all for your responses. I have decided to use email as an id, but then allow the creation of a username for login purposes after registration. This allows a little flexibility while keeping registration as short as possible. It also prevents problems when a user changes email addresses (they can just log in with their username and update it). I will also be implementing methods to prevent brute-forcing of email addresses out of the registration and login systems (mainly a cool-down period after repeated attempts).
I tend to not prefer pro/con lists, and instead try to think of benefits and challenges.
Challenge:
Some users will be tempted to use their email address from their ISP. Linking to an email alone, may be difficult for the users who forget to update their email in all the web sites they have signed up for before they change ISPs.
Instead:
You should consider allowing a user to provide multiple addresses, as well user-selected id and then let the user decide what they want they wish to do. Perhaps also consider allowing the user to provide an OpenID account.
这篇关于使用电子邮件地址作为用户ID的优缺点是什么?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
