Yup, change we made today: banjohangout.org/topic/389554

Why are you not comfortable with it?

I'm more sensitive than average about frequently entering my email address or any other personal data than a lot of other folks.
I don't pay bills, do banking, transmit my credit card or social security numbers, or file my taxes on the computer.

I worry that frequent use of my email address might make it easier for hackers, phishers, etc. to get into my email account. Maybe I'm too cautious, but I built and repaired computers for a living in an earlier life, and I know that no information sent over the internet is completely "safe and secure."

quote:

---

Originally posted by schlange

Yup, change we made today: banjohangout.org/topic/389554

Why are you not comfortable with it?

---

It disturbs me as well. My e-mail address is extremely easy to associate across numerous accounts and sites. It's not like the variations on my name that I tend to use pose some extreme barrier, but at least it's beyond a robotic script to put them all together. I strongly prefer usernames.

Interesting.

You guys realize I'm not displaying your email address anywhere, right? You entering it as a login doesn't expose it to the world. It's already saved to your account and in our database, as it always has been.

Yes, your email address is sent via the login form back to our servers - but that is HTTPS encrypted, and really, that's not something hackers target much these days. Too much work. What they DO target much more is scraping usernames from a website, then using them and a botnet to try to log in using common passwords.

For that reason, using emails instead of your public usernames as your login makes everything much more secure.

quote:

---

Originally posted by schlange

Interesting.

You guys realize I'm not displaying your email address anywhere, right? You entering it as a login doesn't expose it to the world. It's already saved to your account and in our database, as it always has been.

Yes, your email address is sent via the login form back to our servers - but that is HTTPS encrypted, and really, that's not something hackers target much these days. Too much work. What they DO target much more is scraping usernames from a website, then using them and a botnet to try to log in using common passwords.

For that reason, using emails instead of your public usernames as your login makes everything much more secure.

---

Except that if someone finds a password combined with my e-mail address working on some site, they are likely to start trying to use it in multiple places to see if the same pairing works. I wish I were perfect and had a unique password for every site, but I'm not. I'm not alone, either. I do have six or seven variations of my name that I use on sites that still permit usernames, and the number of times that the same username:password combination will let you in is much more limited.

Maybe I am mistaken, but unless someone has built a computer designed to crack passwords (which are expensive to build, and a "conventional computer" would likely not be able to handle such an intensive task), and unless someone successfully hacks into BHO's databases and steals your password (which still is nearly useless because passwords are hashed, and there is no way to reverse hashing - only by using a password cracking computer to continually test for a matching hashed value), it's still a complete guessing game.

The first method is brute force (guessing the password while trying to log in until they find the correct password), the other method is basically the same but without the brute force part (hashing guessed passwords until they find a matching hashed value, then login with one attempt).

Most websites guard against brute force attacks on user accounts because they lock login attempts after a set number of incorrect attempts. Second, lots of websites guard against logins from IP addresses different from the one you typically log in from.

Also, as Eric stated earlier, this information is sent over HTTPS, which these days is heavily encrypted. It would likely be a waste of processing power for a hacker's computer to try to sniff the packets being sent over HTTPS, and also as Eric already said, it's something hackers rarely target these days.

It's the other around: if someone has easypassword associated with billybob@example.com, and that gets leaked in any fashion, the easiest thing to do is to go try that combination at every site that uses e-mail addresses as usernames. It's quite likely to work on a large number of sites.

I agree that this change is more secure. As Eric said, your email address is never displayed anywhere on this site. There is very little chance someone with your email address would just guess you have an account on BHO.

And if a hacker hacked your BHO account, there is no personal information there for them to glean anyway. You address, phone number, no SSN, no other Personally Identifiable Information is held in your BHO account. There is nothing of value for a hacker to go through all that for for.

Where as a screen name IS visible to the public, giving a hacker 1/2 the info in public view, to gain control over an account.

If this makes you uncomfortable, then easiest solution is to set up another email account just for BHO use. Email accounts are still free, google and Yahoo offer pretty good free service.

ANOTHER possible solution Eric probably considered was to make screen names private as well, but no fun in that, right?

I'm okay with this change. It's not a big deal, IMHO.

quote:

---

Originally posted by banjoy

ANOTHER possible solution Eric probably considered was to make screen names private as well, but no fun in that, right?

---

Thread drift, but I'd welcome that change. No need for full anonymity on the backend, but removing usernames from posts would do well to eliminate a lot of issues seen on this and other forums. It works well to encourage quality content that is judged on it's own merit rather than on the reputation of the poster. Also makes personal issues between users disappear completely.

Back to the topic at hand, there is one way to gain access to the email account associated with a BHO username: Send the user a PM. If they respond, the response comes directly from their email address. Now you've got their email. This could easily be automated with a bot if a hacker was particularly motivated.

Why anyone would care to gain unauthorized access to a BHO account is probably the bigger question. But that's beside the point.

quote:

---

Originally posted by KCJones

Why anyone would care to gain unauthorized access to a BHO account is probably the bigger question. But that's beside the point.

---

That's why I'm not particularly excited about this change ... no credit card numbers or SSNs here to steal. But the world's transition to email addresses as usernames (or username substitutes) makes us all a little less secure. I used to be KWW, KevinWayneWilliams, KWayneWilliams, KWWilliams, KevinWayneW, or KWayneW on different sites as the mood struck me. Even if I got sloppy and repeated a password, some human would have to get involved to figure out to try the stolen password with each of those names. Now, if they get a password associated with my e-mail address anywhere, they will try it everywhere. If I screw up and repeat a password, they'll get in everyplace I repeated.

Do you actually have a unique password for every site? Most of us try, but ultimately get sloppy when the effort of having to remember so many gets to be too much.

I have a unique password for nearly every site. I don't even know most of my passwords, almost all of them are computer generated random 16 character strings that are stored in a password manager. Any account that matters requires 2 factor authentication these days anyway. (E.G. the website texts a code to your phone and you input the code into the login screen). You really shouldn't re-use passwords.

In any case, hiding your login credentials from public view increases security. I know it seems counterintuitive but it's true. Think about it: do you really think an IT professional would actively make changes to reduce the security of their own website?

A bit of thread drift again, but you should understand that your passwords, CC numbers, SSN are, most likely, already floating around on the web. The fact is, your data is already compromised, that's just a reality of the modern digital world. That's why most systems have moved away from using a CC number to process transactions, and instead use the chip which creates a one-time-use code for every transaction. Brute force hacks aren't really something you should be concerned about, what you need to protect yourself against is massive data breaches that capture millions of SSNs, CC#s, and login credentials all at once. The way you protect yourself from this is by using a password manager with 16+ computer-generated passwords for all websites, using 2-factor authentication on any website that offers it, disabling all debit cards and only using chip-enabled credit cards, never using paper checks, and keeping your credit frozen at all times unless you need to temporarily unfreeze it to open a new line of credit. That's just standard information security nowadays.

Is there some compelling reason to make this change?

+1 to the password manager comment. I use unique e-mail addresses and passwords for every site, and let my password manager remember which is which.

2c: personally i don't think this change will increase security much, and password strength rules and checking leaked password databases are a more user-friendly way to tighten security.

I think I know why the change to e-mails has been made. Yesterday, I received 10 e-mails from Banjo Hangout.

quote:

---

Originally posted by RB3

Is there some compelling reason to make this change?

---

Yes: see my original post on this topic: https://www.banjohangout.org/topic/389554

The most compelling reason was #3 in the list...