Let's say you want to hack Jack Dorsey's online banking account. Where to start? His username?
Challenging… his online banking username is a secret. But how about his Twitter account?
Oh, that's easy. It's @jack.
That's the problem with "social" usernames — they're meant to be known.
![Twitter's Password Fails]()
Another problem, Twitter appears to validate e-mail addresses:
![Twitter's Password Fails]()
Looks like nobody's home at jackd@twitter.com:
![Twitter's Password Fails]()
Twitter's settings include an option to require "personal" infomation such as an e-mail or phone number:
![Twitter's Password Fails]()
But that's less than useless if Twitter won't actually let you add your number:
![Twitter's Password Fails]()
And just how "personal" is a phone number anyway?
![Twitter's Password Fails]()
Two-factor authentication?
Sure.
But Twitter should first stop validating e-mail addresses.
And then maybe it could add an option to disallow logins via the publicly known username.
Edited to add: On second thought…
How about this?
Twitter should stop validating e-mailing addresses in its password reset form.
And then, discriminate between using e-mail and username. If an account is accessed with the username— don't provide access to the account settings! The e-mail address (alias) could then be used only by account "adminstrators".
Example: regular @AP staff could login with "AP"— no settings for them! They could Tweet, but would be restricted from making changes to the account. But the @AP "admin", some guy in the IT department, that person could login using the "secret" e-mail address and would be able to change account settings (and lockdown the account in case of a breach).
Discriminating between e-mail and username — a way to distinguish between "admins" and "users".
Challenging… his online banking username is a secret. But how about his Twitter account?
Oh, that's easy. It's @jack.
That's the problem with "social" usernames — they're meant to be known.
Another problem, Twitter appears to validate e-mail addresses:
Looks like nobody's home at jackd@twitter.com:
Twitter's settings include an option to require "personal" infomation such as an e-mail or phone number:
But that's less than useless if Twitter won't actually let you add your number:
And just how "personal" is a phone number anyway?
Two-factor authentication?
Sure.
But Twitter should first stop validating e-mail addresses.
And then maybe it could add an option to disallow logins via the publicly known username.
Edited to add: On second thought…
How about this?
Twitter should stop validating e-mailing addresses in its password reset form.
And then, discriminate between using e-mail and username. If an account is accessed with the username— don't provide access to the account settings! The e-mail address (alias) could then be used only by account "adminstrators".
Example: regular @AP staff could login with "AP"— no settings for them! They could Tweet, but would be restricted from making changes to the account. But the @AP "admin", some guy in the IT department, that person could login using the "secret" e-mail address and would be able to change account settings (and lockdown the account in case of a breach).
Discriminating between e-mail and username — a way to distinguish between "admins" and "users".
On 07/05/13 At 12:51 PM