0

On a website in which all of users' information (line Username, Email and Phone Number) are stored safe and hidden (from other users and public world), is it bad practice to accept email address or phone number or username itself as username with a password and a Captcha?

On this question, it has been told that main risk is that email might be used with same password so compromising the account may lead to getting into user's email account. If user's email is being displayed on his/her resisted profile, it doesn't matter what method is used by hacker to crack the account, s/he'll know the email and password by the way.

If those information kept secure and hidden, is it bad practice to use this kind of implementation? If so, what are the cons and concerns?

Community
  • 1
Amirreza Nasiri
  • 867
  • 2
  • 9
  • 15

1 Answers1

3

Not on security side, but people are less likely to be willing to provide their phone number or they will just enter a fake one. So I suggest you to use phone number only if your application really needs that info.

I wouldn't care about people reusing their passwords, it's not your problem. This only weakens your security if the email service is compromised and the password is leaked. In almost every case users will use giants like gmail, which use various extra security measures to prevent hackers getting access to the account password. Just a simple and strong hashing algorithm would be enough on their side.

It is the same thing on your side. If you care about your users, you store their passwords hashed, as you probably already do. If you become the victim of a breach, and somehow the attacker gets to know the raw passwords of your users, it's absolutely their responsibility and stupidity if the attacker gets into their email account with the same credentials. But let that not be the case, store everything safely :)

Rápli András
  • 2,124
  • 11
  • 24