[opencms-dev] Email address as username for logging-in web users

[Kellen Dye]

While it is possibly bad practice to use emails as usernames, it should be up to the organization using openCMS to decide what can and cannot be usernames; there is no need to enforce this programatically -- it's a policy issue.

Kellen

>>> mikeb at tableau.co.uk 11/18/04 05:02 AM >>>
I think OpenCms should continue to not accept the use of @ in the
username (if that is what it does).

I think using an email address as a user identifier is a security
practice to be avoided.
It is usually possible to guess the email rules for a company and then
work out possible email addresses for individuals within a company.
Email addresses should be regarded as in the public domain.  In a
typical secure system after a number of failed logon attempts the logon
identifier is disabled (either for increasing periods of time or until a
manual reset).  Therefore a simple web robot script (using a utility
like wget) could push through vast numbers of invalid passwords and
execute a sustained denial of service attack.

Mike
 

-----Original Message-----
From: opencms-dev-bounces at opencms.org
[mailto:opencms-dev-bounces at opencms.org] On Behalf Of James
Sent: 18 November 2004 11:54
To: opencms-dev at opencms.org
Subject: [opencms-dev] Email address as username for logging-in web
users

I realise that the username goes through validFilename(String) and does
not accept the use of @.
 
I've started to implement -->    userName = userName.replaceAll("@",
"-----");
 
But has anyone else 

---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.797 / Virus Database: 541 - Release Date: 15/11/2004




_______________________________________________
This mail is send to you from the opencms-dev mailing list
To change your list options, or to unsubscribe from the list, please visit
http://mail.opencms.org/mailman/listinfo/opencms-dev