Jump to content

RFC: Requiring use of email address for log-in, not a 'Display Name'


Recommended Posts

Hello! Here's a request for your comments on this idea:

It's somewhat less secure to have the standard username/password log-in system if a would-be intruder already has a username to work with. The log-in form can be submitted multiple times with a series of commonly-used passwords, looking to see whether 01234567890 matches, for example.

Currently these message boards enable you to log in using either (i) your "Display Name" (which is displayed, natch, next to every post you've made), or (ii) your email address (i.e., the one you used when you first signed up).

So somebody else would be able to enter your Display Name into a log-in form and then start throwing potential passwords into the form, until the intruder succeeds or goes to bed.

Of course, the world doesn't end if there were to be a "break-in" -- the intruder might simply alter your posts to say "I think ERISA attorneys are weenies" or some other heresy -- and yet many of us use the same password for our bank accounts, our Tinder accounts -- haw -- etc., so having a password that works on BenefitsLink lets them go monkeying around on other more potentially profitable websites on which you might be a registered user.

So (at long last, getting to the point here), the proposal would be to require the use of email addresses for log-in, and no longer permit Display Names for log-in. Your email address, unlike your Display Name, is not displayed on the message boards, so it's not public knowledge insofar as a message boards visitor is concerned. But of course you know your own email address, so the log-in process wouldn't be seem to be any more burdensome.

I thought about the possible problem of logging in after your email address has changed (you're at a new job, etc.), but actually the log-in process would be unaffected. You'd still enter the email address you had used when you signed up, and your usual password. The log-in system wouldn't know or care that your "real" email address has changed.

What do you think?

Link to comment
Share on other sites

  • Dave Baker changed the title to RFC: Requiring use of email address for log-in, not a 'Display Name'

I just listened to a cybersecurity guru talk about all of the risks of being on-line, sooooo, can we go back to stone tablets?  Might not be so speedy or current, but might be safer!

Link to comment
Share on other sites

I'm in favor of the change. Until just now I wasn't aware it was an option to log in with your display name.

Regarding changing emails, it could be a problem if you no longer have access to the old email account and you need to reset your password. Does the system support changing your email for login purposes? Or can a backup email be added?

Link to comment
Share on other sites

Usually systems such as benefits link will allow for changing the email address of currently mailed email. The login name/email address is fixed.

Link to comment
Share on other sites

I just tested it - if you change your email address for mailing purposes, it also changes it for login purposes. I was able to log in with the new email address that I supplied and was no longer able to log in with the original one.

Link to comment
Share on other sites

14 hours ago, C. B. Zeller said:

Regarding changing emails, it could be a problem if you no longer have access to the old email account and you need to reset your password. Does the system support changing your email for login purposes? Or can a backup email be added?

14 hours ago, C. B. Zeller said:

I just tested it - if you change your email address for mailing purposes, it also changes it for login purposes. I was able to log in with the new email address that I supplied and was no longer able to log in with the original one.

This is correct -- only one email address is stored for each profile. 

If you do need to reset your password, and don't have access to the email address on the account, we can change the email address from the back end -- just let one of us know, either by PM here or by email to manager@benefitslink.com

Also note that, if we do find an email address is no longer working (e.g., we see a bounce message for email sent to that address -- from the message board, or a newsletter or other publication), we'll flag the account so that the email address must be either confirmed or changed at the next login attempt.

 

Link to comment
Share on other sites

As I am without a doubt one of the least tech savvy people in the country, I defer to you all! Whatever you think is best.

I wonder if at some point, certain banking institutions might go back to  "no internet transactions" banking, and deposits and withdrawals can only be done in person. Most likely not - probably not even possible any longer. Might not even be legal for all I know.  Life is tough for us dinosaurs - the next dinosaur extinction looms large.

Link to comment
Share on other sites

18 minutes ago, Belgarath said:

As I am without a doubt one of the least tech savvy people in the country, I defer to you all! Whatever you think is best.

I wonder if at some point, certain banking institutions might go back to  "no internet transactions" banking, and deposits and withdrawals can only be done in person. Most likely not - probably not even possible any longer. Might not even be legal for all I know.  Life is tough for us dinosaurs - the next dinosaur extinction looms large.

Despite my previous facetious comment, I think it's a good idea.

Belgarath:  You mean there is another way to "bank" besides fat fingering on my phone?  Haven't been inside a building that has "bank" over the door literally in years - even when getting a mortgage from one....

Link to comment
Share on other sites

On 6/24/2021 at 3:09 PM, Dave Baker said:

Of course, the world doesn't end if there were to be a "break-in" -- the intruder might simply alter your posts to say "I think ERISA attorneys are weenies" or some other heresy -- and yet many of us use the same password for our bank accounts, our Tinder accounts -- haw -- etc., so having a password that works on BenefitsLink lets them go monkeying around on other more potentially profitable websites on which you might be a registered user.

 

I don't really care too much either way, but using the same password for more than one account any more is very silly. Use software like Lastpass and have a single, very complex password for everything. And use two factor authentication when available.

Then the user id won't matter much.

Link to comment
Share on other sites

I am fine with whatever the group thinks is best.  I haven't logged in or out of BenefitsLink in years so I actually have no idea what my password is or which of my email accounts this is associated with, but I am sure we can figure it out.  

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...