OK, this is something that has really been pissing me off for quite some time.
As I am sure most of you know, many website’s use your email address as your login. I think this is a great idea, since it allows you to keep the number of login names you need to remember down and it pretty much guarantees uniqueness (since there can be only one email address, it’s yours). The only problems I could think that could occur with this are:
- Someone has signed up using your email. I really doubt this would ever happen, since the site would (or should) email the account address for confirmation that it is live (and you have access to it). If this ever did happen, you could easily take it up with their support staff.
- You have previously signed up and forgotten about it. 9/10 this will simply mean submitting a password request that will be sent to your email account and you can initiate the password reset process (if they send you your ACTUAL password – close your account now! – account administrators should NEVER have access to your password).
So both of these are pretty minor, and for the most part, pretty rare.
So what’s the problem here?
Recently I have begun the slow but gradual process of migrating from the [lame] Yahoo! Mail to Google Mail. When I recently accessed my Microsoft Live Account page to update my email address, I realised I can’t. Now, before the MS haters out there start jumping on Microsoft, they are not alone. I have noticed many of my online services don’t allow me to change my email address (can’t think of any off the top of my head – if I do, I’ll update). But the Live one really did hack me off, because I use it a lot meaning I am now locked into my Yahoo email address, by a service that is nothing to do with Yahoo. This makes no sense at all. Yes, you need a login, does it need to be static? No! There are also many other sites that have allowed me to change my email address even though it makes up a part of my login. They understand that what the login actually is doesn’t matter, the fact that is has been confirmed to be correct and belongs to the user is.
Think about the poor people that don’t have a email service provider address (@gmail, @yahoo.com etc) but rather one assigned to them by their ISP – meaning if they change their ISP (which people do a lot) then their account can potentially be ruined. I have seen examples where users are unable to update their email, so they completely loose all email communication with the website. This is crazy! We are supposed to be getting better at developing user friendly, free flowing, open software – not to load it up on the failboat and put the engines to flank knowing the icebergs are dead ahead.
This gets on my nerves even more with the explosion of OpenID providers (I personally use and recommend Vidoop) in which the login and authentication process is delegated entirely to another party. All they actually need is your OpenID, which of course you can then change if required.
Websites & Online Application Developers:
- DO promote login reuse either through email address or OpenID.
- DO allow me to change it if necessary, you don’t care what it is, so long as the person changing it is ME.
- DON’T create a system that you know will cause problems down the line (however small YOU perceive them to be, you’re not the user).
- DON’T lock me in.
- DON’T store passwords in plain text (if you are actually doing this then get out of the industry now – it really is security 101).
What do you guys this of using the email address as a login? Do you prefer OpenID? Do you change email address often?