What are the pros and cons of using an email address as a user id?

 

I'm creating a web app that requires registration/authentication, and I'm considering using an email address as the sole user id. Here are what I see as the pros and cons (updated with responses):

PROS

  • One less field to fill out during registration (it would just be email address, password, and verify password). I'm a big fan of minimalistic registration.

  • An email address is easier to remember. (thanks Mitch, Jeremy)

  • You don't have to worry about your favorite username being taken already - you're the only one who uses your email address. (thanks TStamper)

    • CONS

  • User has more to type every time they log in.

  • What if a user wants multiple accounts? They'll need another email address. (Do I even want a user to be able to create multiple accounts?)

  • Easy for a potential attacker to guess (if they know the target's email address, they know the login id). (thanks Vasil)

  • Users may be tempted to use the same password they use for their email account, which is bad security. (thanks Thomas)

  • If you change email addresses frequently, it may be difficult to remember which address you used to sign up for a site after a long hiatus. (thanks Software Monkey)

  • A hacker could spam the registration form and use "email already taken" responses to generate a list of valid emails. (thanks David)

  • Not everyone has an email address. (thanks Nicholas)

    • If I went with email as id, I would provide a mechanism to allow it to be changed in the event a user changes address. In this case users would not be posting content to a public site, so a separate username won't be necessary to protect the email addresses (but it is something to consider for other sites).

    Another option is to implement OpenID (which is a whole other debate).

    This seems to work for Google, but their services are tightly integrated. What have I missed in my analysis? Do you have any recommendations? Does anyone have experiences to share?

    FINAL EDIT

    Thank you all for your responses. I have decided to use email as an id, but then allow the creation of a username for login purposes after registration. This allows a little flexibility while keeping registration as short as possible. It also prevents problems when a user changes email addresses (they can just log in with their username and update it). I will also be implementing methods to prevent brute-forcing of email addresses out of the registration and login systems (mainly a cool-down period after repeated attempts).

    I tend to not prefer pro/con lists, and instead try to think of benefits and challenges.

    Challenge:

    Some users will be tempted to use their email address from their ISP. Linking to an email alone, may be difficult for the users who forget to update their email in all the web sites they have signed up for before they change ISPs.

    Instead:

    You should consider allowing a user to provide multiple addresses, as well user-selected id and then let the user decide what they want they wish to do. Perhaps also consider allowing the user to provide an OpenID account.

    Personally, I prefer just using my email address as a username. It's one less thing to remember, and I never have to worry about my preferred name being already taken.

    Just my 2 cents!

    I think you missed a PRO:

    Users are likely to remember their email address; and as email addresses are unique, they never have to worry about their preferred username being taken already.

    链接地址: http://www.djcxy.com/p/16584.html

    上一篇: 为什么一个电子邮件地址不能超过254个字符?

    下一篇: 使用电子邮件地址作为用户ID有什么优点和缺点?