Wednesday, June 6, 2012

E-mail addresses as user IDs: stupid policy

In the wake of a hacking fiasco that has embarrassed Apple and cost journalist Mat Honan his online security and a bunch of data, Apple has failed to take action to secure users' accounts.  Oh, they've changed one policy; now they won't reset passwords over the phone.  But look at the origin of the problem.  Here's what Honan said:

"Also my source at Apple confirmed issuing password reset based on name, last 4 of CC, address, and AppleID was 'absolutely' Apple policy."

And what is that "Apple ID" now?  Your E-mail address.  An identifier that is on hundreds if not thousands of spammers' lists.  And Apple is forcing you to use it as your user ID, instead of letting you set up a free-form legitimate ID the way they used to.

Your E-mail address is on spammers' lists.  When you cross-reference these lists with lists of common passwords, you get a boatload of cracked accounts. And when forced to set up a log-in ID that is an E-mail address, what percentage of the public thinks they have to use the same password that they use for their E-mail account?  I'm guessing at least a quarter.  So now these sites have made themselves responsible not only for their own system, but every user's personal E-mail account, regardless of where it is.   That's why this policy is a monumental security blunder.

Here's another example of how this policy sets Apple and its customers up for security breaches and stolen data:

Now some lowlives are threatening to compromise Apple customers' devices, based on... yep: their E-mail addresses and passwords.

While in this case there's a software defect involved, it still demonstrates how a spammer (who of course already knows your E-mail address) only needs to acquire your password; he can auto-populate the "user ID" field with your E-mail address, making it look legit.

You don't see banks forcing you to use an E-mail address.  Nor brokerages.  Nor credit-card companies.  Hell, even the most obscure comment forums let you set up a legitimate user ID.  But not Apple.

Aside from the glaring security problem, there's common sense.  We all have numerous E-mail addresses by now, and many people's addresses change over time. Which one did I use to sign up for this or that Web site months or years ago?  And when an address goes defunct, people think they need to set up a new ID.  Apple tells users that their Apple ID must be a functioning E-mail address; now they have a boatload of customers with multiple Apple IDs each, preventing them from managing their iTunes/App Store purchases or downloading updates because Apple refuses to consolidate the accounts that its own ignorant policy created.

Of course, Apple's not the only tech company making itself look like amateur hour online.  Amazon has also "taken steps" in response to this attack, but has failed to fix the glaring user-ID problem.  A while back, LinkedIn was caught uploading people's calendar appointments from their mobile devices, and compromising millions of users' passwords.  The first of these was an unauthorized transmission of users' data (in clear text, no less), an offense against users (not to mention Apple's clearly stated policies).  The second was just a failure.

But consider the source: LinkedIn joins Facebook, PayPal, and Apple in their requirement that your user ID be an E-mail address.  The sheer ignorance of this policy undermines any security-related credibility its source might have.

Users shouldn't sit back and shrug this off.  You don't need to roll over for businesses that steal your time and allow others to steal your identity or data.  Use this form to tell Apple that this policy is unacceptable.  Point them to this post or paraphrase it; we need to stop this ignorance.

You can read more about this debacle at The Next Web.  And here's another massive data breach that's going to be much worse because of this asinine policy.

User IDs aren't the only playground for incompetence.  Here comes United Healthcare, screwing up the password field with another offensive policy.


  1. Relying on a username runs into a similar problem though. You probably use the same username everywhere, including with your e-mail account. So if there's a johnsilver77@yahoo address on that spammer list, that person would probably use johnsilver77 to log into Facebook, if it required a username.

    1. Then, at WORST, there's no extra harm done. But if you let people set up a proper user ID, it doesn't have to be an E-mail address and thus doesn't have to appear on spammers' lists.

  2. "We all have numerous E-mail address by now, and many people's addresses change over time"

    I actually disagree. I think people have a lot more trouble remembering which username they used to sign up. Your email address is something you have for a long, long time. Plus, there's the sense of "this username is being used", which hardly happens with your email address.

    For the next service you'll use "oscar", "ogoldman", "goldman", "oscar_goldman", .. to only find out that "oscar_goldman". On the next app, you can sign up with "ogoldman" and the next one has "oscar" still available. You'll forget all of that in a month.

    Whereby, you'll remember your for all these services.

    1. "Your email address is something you have for a long, long time."

      People think that, and then... things change. And there's still the issue of multiple addresses, and which one did you use for this or that site.

      But that's the great thing about not forcing users into any particular ID format: they CAN use an E-mail address if they want. Or they can come up with their own scheme.

  3. Perhaps user education is a better approach.
    Using RFC compliant mail servers means that you can in fact create a unique mail address for each service you log into using the + hack.
    For example I could log into facebook with my email addess. I could ALSO log in using an RFC compliant manipulation which is permitted on many sites (facebook included).
    So, if I logged into facebook and told facebook to use as my primary email address, I will have created a unique email address without creating a new email address. Mail will still come to where it needs to and I will not use the same address for anything else. But I will know what it is...
    So, with one email address I am able to create "known only to me" uniqueness and have many variations that are specific to the portal I am logging into.

    You get the idea

    1. I used to use that "+ hack" to create unique E-mail addresses to catch businesses selling my address to spammers. It's a useful technique, as long as your E-mail provider handles it.

      Unfortunately I think it's beyond most people's understanding to use it effectively. Next thing you know, they'll be using (perhaps thinking they have to use) that same modified address to register with other sites and it'll join all the other addresses on spammers' lists. But... maybe not.

      Thanks for your informative comment!

    2. I wouldn't depend on that to detect spamming. Since it is RFC and well known for many many years spammers probably already know that trick and just strip everything off from the + back to the beginning.

    3. I've done that - used a + address - and found that the unsubscribe tools for three or four newsletters/ads automatically stripped the + (by passing the unsubscribe request in a URL). Made it a _pain_ to get rid of those emails!

  4. Make sure the non-techies among us know what you're talking about. I perceive a tendency for the techies to use techspeak to one another, forgetting that this here blog is meant to be read by EVERYONE. I am somewhat of a techie but the stuff already here in the comments is beyond my poor knowledge. E.g., "+ hack" means NOTHING TO ME.

    I agree that email address should not be the only possible identifier of a user allowed in things like iTunes. Alternative ID can be any rather secure phrase. Unfortunately, not everyone has a tool that generates such a phrase. Then remembering the phrase is the next hurdle for most people. I have a way that records stuff I need like that.

    1. "E.g., "+ hack" means NOTHING TO ME."

      Maybe you didn't read the comment I was replying to. I didn't use that phrase in my post; it's only in his comment.

      In his comment, barrulus said he "told facebook to use as my primary email address." He then went on to give two more examples of unique E-mail addresses that he created specifically for particular Web sites.

      But I'll explain a bit more: Some E-mail servers will accept your basic user ID (as in with "+whatever" after it. That means if someone sends mail to, you'll still get the message even through your real E-mail address is only

      Thanks for your comment!

  5. Goldman, your security word is SO DISTORTED that I required 25 attempts to find one I as a human can read and even then I was unsure. PLEASE DON'T DO THIS TO US!

    1. Unfortunately, that's under Google's control and not mine. I agree it can be very annoying. Thanks for making the effort to defeat it and add your comment, though!

  6. The overwhelming majority of sites that have username ask for an email as well. There are lots of good reasons for this:

    1.Requiring a valid email cuts down on spam accounts.
    2. You have a way to contact your users.
    3. You need it for password resets.

    The real question isn't what to use as user ID, it's what to do about password resets. What you use as user ID is an orthogonal issue to key recovery.

    1. Of course. There's no problem with also asking for an E-mail, and requiring a confirmation before activating someone's account.

    2. How would key recovery (a.k.a. password reset) work in your ideal system?

    3. The way it works on millions of comment forums today: You request a password-reset E-mail, based on your user ID or E-mail address. This is a standard function of every bulletin board I use, which is quite a few.