Use email addresses for authentication

When I log in to the Penny Arcade forums or Metafilter, I log in as “Imperfect”. Other places on the internet require me to log in as “Imperfex”, since “Imperfect” was taken before I got there. And when I tried to log in to my banking site, they demanded I use a number in my username, so I’m required to create yet another username. All in all, I have maybe five or six usernames I use with some frequency.

It’s bad enough that I have to remember a dozen passwords to the dozen or so different sites I log into frequently. But to also have to remember which username I used to sign up as well? It gets ridiculous.

Assume I’ve forgotten both the username and password I used to sign up for ZobR – the very latest web-2.0 friend-to-friend notepad-sharing network. With five usernames and twelve passwords, I have up to sixty combinations to try out before I can gain access.

Of course, three tries later, the auto-hacker-prevention technology (“Hacker Safe”, oh jeeze, that’s a laugh) kicks in and locks the account anyway, so I have to use the “forgot your username/password?” link.

This is nonsense. There are precious few circumstances where it makes sense to use a site-specific username as part of the login credentials. You should nearly always use the email address.

Possible objections

Anonymity: Say you want to sign up for a dating site, but don’t want your email address flashed around everywhere. Simple! The email address is only used as the authentication credentials. You pick an anonymous psuedonym once you’ve created your account. This is how dating sites work anyway, although most require you to create a username that is never used for anything except authentication.

Security: Every time you sign into your webmail, you enter in your email address. It’s already out there in the clear, guys. And the idea that your username should be as difficult to guess as your password is nonsense. It’s visible as you type it in. Stop enforcing strictness rules on usernames.

Email address not collected: Most places collect your email address as a matter of course. It makes it a snap to send out a re-authorization link, should you forget your password, or send out service alerts. Sure, if it’s not necessary to collect an email address to log in, then perhaps using a custom username is justified, but you already have to use a field to identify the account for authorization, why not use that field for the email address?

It’s what’s simplest for the user

And that’s what counts, right?

  • Fernando



    Since I have a “odd” last name, it’s always been pretty easy to register on any website. There have been a few occasions where my sister has beaten me to the punch. However, I do agree that services might as well use your email address since it’s a unique identifier.

    On another topic, would it be possible for you to email your WordPress theme? I think it’s great and I would like to use it, if that’s okay with you.

  • manveru



    So, your email address has a digit in it? :)

  • Dan Hulton

    Dan HultonDan Hulton


    I’m not sure what you mean by that.