Message Icon:*
url email imgsrc image php hide code quote
English Nederlands 
alignleft aligncenter alignright bold italic underline linethrough   



Re: ERROR: Invalid Username - Is it?

by Vaughan on 2011/1/9 6:41:36

that's the point david. since icms 1.1 you CAN login with your email address instead of login name. i added email address login to icms 1.1 though i think it required a bugfix which i think i did in 1.1.1 or 1.1.2. but the feature is already there.

EDIT: yep it's still functioning, i just logged out of this site, and logged back in using my email address.
Re: ERROR: Invalid Username - Is it?

by david on 2011/1/9 6:27:32

I would like to be able to login with email address
Re: ERROR: Invalid Username - Is it?

by Vaughan on 2011/1/9 5:33:57

my experience on Tim's site when i tried registering was that it wasn't clearly defined as to what the problem exactly was.

i couldn't register, and didn't know why. but the term invalid username just doesn't give enough detail, that and it is very confusing because we DON't have a username on any registration form.

we have Display Name & Login Name. but the error says invalid Username! so which of those was invalid? psychic head on.

it turned out it was the display name that was invalid & not the login name.

now i know that can easily be sorted by changed the Language definition, shouldn't be a problem then.

then there's the issue of external scripts, i couldn't login to a site, because the site was using uname, which is actually displayname, so i had to login using displayname and not login name. very confusing.

now onto my opinions regarding this matter, and some may disagree with what i'm about to say.

I think having Login Name & Display name is completely unneccessary, i was against it then, and i'm afraid, it hasn't changed my opinion since. i honestly can't see where the extra benefits of having them are in terms of security.

Brute force??? hmmm yeah, an unknown login name prevents it. but as far as i can tell, that is the ONLY reason for it.

silently locking the account after 3 or 5 failed attempts (either with a timer that can be set in admin, or via email asking the owner to confirm via clicking a link in the email to unlock is FAR Superior method at stopping brute force.)

my proposal to this argument.

1. ICMS users can actually log in to the system using their email address!!! <do people know this???>

2. get rid of the login name completely, just have display name for display purposes!

3. users would then use their email address/open id to login to their sites with, this can already be done anyway, so no coding changes are required on that part!.

4. create a function where after x failed attempts, the account is locked (either silently or with a notice) for either x amount of time or via an email sent to the users account which they have to confirm to unlock the account, or via admin unlocking it for them)

5. Problem Solved!
Re: ERROR: Invalid Username - Is it?

by skenow on 2011/1/8 20:40:11

The text 'ERROR: Invalid Username' is the text for _US_INVALIDNICKNAME, which is used in 3 places in the core

1 - kernel/user.php, line 826
2 - kernel/user.php, line 835
3 - edituser.php, line 96

In #1, the uname field is checked against the stopspammer list
In #2, the login_name is tested to see if it is empty, or if the config setting for username filtering is met by login_name
In #3, uname is checked to be sure it isn't blank
Re: ERROR: Invalid Username - Is it?

by Tom on 2011/1/8 17:59:19

Ha ha, I just rediscovered this, Vaughan had issues registering at a website last week because of this exact same issue.

Vaughan do to care to share your experience and opinion on this? lol