By ClearXS on

I've looked through all log-in and security modules, but this one doesn't seem to be there.

This could be a very simple security barrier against hackers; if they don't know my user-name AND if one only can log-in or retrieve password on user-name (not on email) AND if the user-names are hidden/encrypted within Drupal...

Another point is that there are so many security and login mod's; could there be a (or two) drupal project(s) integrating them ?

Comments

joestewart’s picture

joestewart commented

Improvements to Core Group - Add Display Name field(s) to core in addition to Username:

http://groups.drupal.org/node/11092

Issue - Add a Display Name field to core in addition to Username:

http://drupal.org/node/102679

frames’s picture

frames commented

I was also thinking why I could see the actual login names in Drupal via nodes or comment' authors.

I have seen Authorship (D5) (seen here, where they also mention this issue) and Alternate Login (D5/D6) modules, which do something about this, but not exactly what I want. The first one changes the displayed name for something else (keeping the actual login name somehow hidden), and the latter just adds a new name to login, but the actual "Drupal login" can be used.

Also, I don't like login as "John Doe", but as "johndoe" or the like. But that's another story. That's usability more than security.

bob.hinrichs’s picture

bob.hinrichs commented

I've been reading the numerous posts on this and the noble efforts to create patches and get this functionality into core (D7). To be perfectly frank, I see this lack of functionality as a security flaw in Drupal. Advertising login names is tantamount to giving away 50% of your users' credentials.

I didn't come across anyone considering this simple "backwards" approach to solving the issue (if someone did, then oh well, I missed it):

Background: we often use the Email Registration module. This module, as advertised, allows users to register and log in using their email addresses. In the background, the module assigns the first part of the email address to the stored user->name. However functionally speaking the user name (login) is not needed during login. As usual in Drupal, there is no need to display the user's email address throughout the site and this is not often done.

Assumption: users using email as login is acceptable for your given site.

Solution: Using Email Registration as our basis: The new direction would be to put the login name field back on the registration form, and let the user fill it in as a "public name." Second, we would disallow users from using that name to log in (they can use their email address only). This turns the login name into a public name, which by all present functionality in drupal and its modules is the name displayed for the user. Note: this name would have to be unique per user, but this is probably a desired feature.

This would be a contributed module, which bypasses all the hubub about whether to make this a part of Drupal core. We could add nifty features and options to it with wild abandon. It could of course be made to work on any version of Drupal. It would not require any restructuring of data and the site would even still function if you turned off the module.

bob.hinrichs’s picture

bob.hinrichs commented

I've just contributed a rough module that addresses this. It needs feedback.

http://drupal.org/project/publicname