Friday, March 24, 2017

E-mail addresses as user IDs: stupid policy

Once again, Apple is facing a "hacking" fiasco that may have resulted from its own amateurish user-ID policy.

It's not that Apple was hacked; the problem is that millions of E-mail-address/password combinations have fallen into the hands of hackers. And those combinations are what Apple now forces you to use as your Apple ID, instead of letting you create a proper user ID. That is an ignorant policy.

Your E-mail address is on spammers' lists.  When you cross-reference these lists with lists of common passwords, you get a boatload of cracked accounts. And when forced to set up a log-in ID that is an E-mail address, what percentage of the public thinks they have to use (or simply decide to use) the same password that they use for their E-mail account?  I'm guessing at least a quarter.  So now these sites put every user's personal E-mail account at risk, regardless of where it is.   That's why this policy is a monumental security blunder.

If ANY service you use suffers a hack or information theft that includes your E-mail address and password, that combination can be used to access other services (like Apple's) that insist on this ignorant user-ID policy. And indeed, Apple confirmed that this is exactly what happened: "The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services."

Here's another example of how this policy sets Apple and its customers up for security breaches and stolen data:

While in this case there's a software defect involved, it still demonstrates how a spammer (who of course already knows your E-mail address) only needs to acquire your password; he can auto-populate the "user ID" field with your E-mail address, making it look legit.

You don't see banks forcing you to use an E-mail address.  Nor brokerages.  Nor credit-card companies.  Hell, even the most obscure comment forums let you set up a legitimate user ID.  But not Apple.

Aside from the glaring security problem, there's common sense.  We all have numerous E-mail addresses by now, and many people's addresses change over time. Which one did I use to sign up for this or that Web site months or years ago?  And when an address goes defunct, people think they need to set up a new ID.  Apple tells users that their Apple ID must be a functioning E-mail address; now they have a boatload of customers with multiple Apple IDs each, preventing them from managing their iTunes/App Store purchases or downloading updates because Apple refuses to consolidate the accounts that its own ignorant policy created.

Of course, Apple's not the only tech company making itself look like amateur hour online.  Amazon has also "taken steps" in response to this attack, but has failed to fix the glaring user-ID problem.  A while back, LinkedIn was caught uploading people's calendar appointments from their mobile devices, and compromising millions of users' passwords.  The first of these was an unauthorized transmission of users' data (in clear text, no less), an offense against users (not to mention Apple's clearly stated policies).  The second was just a failure.

But consider the source: LinkedIn joins Facebook, PayPal, and Apple in their requirement that your user ID be an E-mail address.  The sheer ignorance of this policy undermines any security-related credibility its source might have.

Users shouldn't sit back and shrug this off.  You don't need to roll over for businesses that steal your time and allow others to steal your identity or data.  Use this form to tell Apple that this policy is unacceptable.  Point them to this post or paraphrase it; we need to stop this ignorance.

You can read more about this debacle at The Next Web.  And here's another massive data breach that's going to be much worse because of this asinine policy.

User IDs aren't the only playground for incompetence.  Here comes United Healthcare, screwing up the password field with another offensive policy.


  1. Relying on a username runs into a similar problem though. You probably use the same username everywhere, including with your e-mail account. So if there's a johnsilver77@yahoo address on that spammer list, that person would probably use johnsilver77 to log into Facebook, if it required a username.

    1. Then, at WORST, there's no extra harm done. But if you let people set up a proper user ID, it doesn't have to be an E-mail address and thus doesn't have to appear on spammers' lists.

  2. "We all have numerous E-mail address by now, and many people's addresses change over time"

    I actually disagree. I think people have a lot more trouble remembering which username they used to sign up. Your email address is something you have for a long, long time. Plus, there's the sense of "this username is being used", which hardly happens with your email address.

    For the next service you'll use "oscar", "ogoldman", "goldman", "oscar_goldman", .. to only find out that "oscar_goldman". On the next app, you can sign up with "ogoldman" and the next one has "oscar" still available. You'll forget all of that in a month.

    Whereby, you'll remember your for all these services.

    1. "Your email address is something you have for a long, long time."

      People think that, and then... things change. And there's still the issue of multiple addresses, and which one did you use for this or that site.

      But that's the great thing about not forcing users into any particular ID format: they CAN use an E-mail address if they want. Or they can come up with their own scheme.

  3. Perhaps user education is a better approach.
    Using RFC compliant mail servers means that you can in fact create a unique mail address for each service you log into using the + hack.
    For example I could log into facebook with my email addess. I could ALSO log in using an RFC compliant manipulation which is permitted on many sites (facebook included).
    So, if I logged into facebook and told facebook to use as my primary email address, I will have created a unique email address without creating a new email address. Mail will still come to where it needs to and I will not use the same address for anything else. But I will know what it is...
    So, with one email address I am able to create "known only to me" uniqueness and have many variations that are specific to the portal I am logging into.

    You get the idea

    1. I used to use that "+ hack" to create unique E-mail addresses to catch businesses selling my address to spammers. It's a useful technique, as long as your E-mail provider handles it.

      Unfortunately I think it's beyond most people's understanding to use it effectively. Next thing you know, they'll be using (perhaps thinking they have to use) that same modified address to register with other sites and it'll join all the other addresses on spammers' lists. But... maybe not.

      Thanks for your informative comment!

    2. I wouldn't depend on that to detect spamming. Since it is RFC and well known for many many years spammers probably already know that trick and just strip everything off from the + back to the beginning.

    3. I've done that - used a + address - and found that the unsubscribe tools for three or four newsletters/ads automatically stripped the + (by passing the unsubscribe request in a URL). Made it a _pain_ to get rid of those emails!

  4. Make sure the non-techies among us know what you're talking about. I perceive a tendency for the techies to use techspeak to one another, forgetting that this here blog is meant to be read by EVERYONE. I am somewhat of a techie but the stuff already here in the comments is beyond my poor knowledge. E.g., "+ hack" means NOTHING TO ME.

    I agree that email address should not be the only possible identifier of a user allowed in things like iTunes. Alternative ID can be any rather secure phrase. Unfortunately, not everyone has a tool that generates such a phrase. Then remembering the phrase is the next hurdle for most people. I have a way that records stuff I need like that.

    1. "E.g., "+ hack" means NOTHING TO ME."

      Maybe you didn't read the comment I was replying to. I didn't use that phrase in my post; it's only in his comment.

      In his comment, barrulus said he "told facebook to use as my primary email address." He then went on to give two more examples of unique E-mail addresses that he created specifically for particular Web sites.

      But I'll explain a bit more: Some E-mail servers will accept your basic user ID (as in with "+whatever" after it. That means if someone sends mail to, you'll still get the message even through your real E-mail address is only

      Thanks for your comment!

  5. Goldman, your security word is SO DISTORTED that I required 25 attempts to find one I as a human can read and even then I was unsure. PLEASE DON'T DO THIS TO US!

    1. Unfortunately, that's under Google's control and not mine. I agree it can be very annoying. Thanks for making the effort to defeat it and add your comment, though!

  6. The overwhelming majority of sites that have username ask for an email as well. There are lots of good reasons for this:

    1.Requiring a valid email cuts down on spam accounts.
    2. You have a way to contact your users.
    3. You need it for password resets.

    The real question isn't what to use as user ID, it's what to do about password resets. What you use as user ID is an orthogonal issue to key recovery.

    1. Of course. There's no problem with also asking for an E-mail, and requiring a confirmation before activating someone's account.

    2. How would key recovery (a.k.a. password reset) work in your ideal system?

    3. The way it works on millions of comment forums today: You request a password-reset E-mail, based on your user ID or E-mail address. This is a standard function of every bulletin board I use, which is quite a few.