Ugh. Then there's the general stupidity of forcing people to use E-mail addresses as user IDs. It's not just annoying, but also a security blunder. The general public can't be counted on to understand that when they're forced to use their E-mail address as an ID, they don't have to use their E-mail account's password for it.
That makes every one of these sites a gatekeeper to the user's E-mail account. All it takes is one shitty security regime or one disgruntled employee to expose these credentials.
Then there's the fact that everyone's E-mail addresses are on thousands of spammers' lists. When you combine those lists with lists of common passwords and start probing accounts, you have... once again... boatloads of compromised ones.
It's sad to see a company like Apple fall into this dumb behavior and then try to patch it up after some high-profile "hacks." Originally, Apple IDs did not have to be E-mail addresses; when they implemented this dumb policy, they wound up with scads of customers with multiple Apple IDs and purchases scattered across them willy-nilly. And when people rightfully complained, Apple huffily declared that it would NOT consolidate them for anyone. Nice attitude: Create a problem and then refuse to provide a solution.
But back to the perpetrator here: OKCupid took this to a new level when they started insisting that you provide a phone number. I got into some loop where I couldn't log in and I couldn't log out, because they kept hounding me about the phone number that I couldn't access my account settings to provide. Or something stupid like that. And you know what, OKC? You don't need my phone number, so piss off.
It's too bad. OKCupid was the best of the dating sites during its heyday.
Related stupidity: "Security Questions" that enable someone to take over your account just by collecting not-so-secret information that is often shared because the site insists you pick from their own set of questions which other sites have already used.
The best way to tackle "Security Questions" is to generate a passphrase, store in your password manager, and use that for the answer.
In the unlikely event you ever need to recover your account with the Security Answer, it's much easier to read out a few words than a 16+ character random password.
That is an unattainable standard for the average joe though. Savvy people have their ways to keep things secure, even if it's inconvenient. It's the masses that fall prey to these avoidable traps.
The only thing is you sometimes have to warn the customer service agent that you have an unusual answer to "childhood best friend" but otherwise I've never had a problem with it
I don't mean to discount your experience, and I'm guessing the social engineering opportunities are unlimited no matter the protections, but the screenshot I provided shows that by default it uses words, not password-style, generation so your childhood best friend would be "couch tulip wheel" and not cafe8675309$
There's other good reasons not to use a random string! Try calling up customer service, they'll ask you the question, and you can say "oh it's just a bunch of random letters and numbers".
Unlike a code or password, these security questions are fuzzy matches generally based on the judgment of human on the other end.
I choose answers that only barely make sense. ie...
"Where is your favorite vacation spot?"
Narnia
"What was your first pet's name?"
Falkor
Even my closest friends who know me would never guess those, even if they knew I was giving bullshit answers, simply because I was never into "The Lion, The Witch, and the Wardrobe" or "Never Ending Story".
(Note: These are not ACTUAL answers I've given, but you get the idea)
I save the bullshit answers into my password manager. But yeah, it's probably a better idea to just use an actual pass phrase.
Not parent poster, but generating a sequence of randomized dictionary words will work provided the answer-field isn't too small and none of them are too hard to spell.
This question reminds me of another brain-dead and rather incredible password policy I encountered. I was trying to set a password for United Healthcare. Their password requirements were shown, and I was complying with all of them. Yet it was failing over and over.
I finally called them to report the problem, and the first question out of the rep's mouth was, "Does your password contain swear words?"
I shit you not, UHC secretly audits your passwords for "swear words." Doing so is bad enough, but not mentioning it in the rules is doubly offensive for deliberately stealing users' time.
Don't give an attacker an opportunity to social engineer and say, "it was a bunch of random letters or words" and the customer service person lets them in because it looked like someone was just typing random stuff.
Another problem with email address as user ID is that much of the public (most I'd guess) does not have a permanent email address.
Many use an email address provided by their ISP. What happens when they move out of that ISP's territory? Or, if they are someplace served by multiple decent ISPs decide to switch providers?
Many use addresses from gmail, outlook, yahoo, and similar. Those at least keep working if they move, but still have some risk. If you use multiple services from the companies that own those and do something to get banned from one of those company's services that might also get you banned from their email service.
Best if a site insists you use email as user ID is to use an email at a domain of your own. That won't be free because you'll have to rent the domain, and pay someone to handle your email (most people will not be up to running their own email server), but if the domain is at one of the long established TLDs and you don't do anything too illegal and it isn't close enough to the name of an established company that you could lose it over trademarks you can probably keep it for the rest of your life.
Whoever you use to actually handle you mail might go away or kick you off, but as long as you still have the domain you can switch to some other mail handler and point the domain's mail records in DNS to that new handler.
If you want to be sure that there is no risk of being accused of being a domain squatter or losing the domain in a trademark dispute pick a name that will not be at all similar to any business name or famous person name. I've got my ham radio callsign as a domain under the US TLD for example.
If you aren't using your own domain, at least check with any important site that you use that requires email as user ID to make sure they have a way to change the email so that if you do end up losing your current email you can update the site. That might not work if you lose the email without warning, but at least it can help in cases where you know you are going to lose the email such as switching to a new ISP.
It might also be a good idea to keep a list of all sites you are using where you will need to change the email as user ID if you are going to move, so fixing it can be part of your moving checklist.
In the US both of the login servers that more and more government agencies require you to use for online access, ID.me and Login.gov, use email as user ID. Both allow you to change that email (add the new email as a secondary email on the account, then change the new email to be the default email). It would be really annoying to not remember to do so until after you have lost the old email, and so find yourself unable to login to your IRS account or your Social Security account.
That makes every one of these sites a gatekeeper to the user's E-mail account. All it takes is one shitty security regime or one disgruntled employee to expose these credentials.
Then there's the fact that everyone's E-mail addresses are on thousands of spammers' lists. When you combine those lists with lists of common passwords and start probing accounts, you have... once again... boatloads of compromised ones.
It's sad to see a company like Apple fall into this dumb behavior and then try to patch it up after some high-profile "hacks." Originally, Apple IDs did not have to be E-mail addresses; when they implemented this dumb policy, they wound up with scads of customers with multiple Apple IDs and purchases scattered across them willy-nilly. And when people rightfully complained, Apple huffily declared that it would NOT consolidate them for anyone. Nice attitude: Create a problem and then refuse to provide a solution.
But back to the perpetrator here: OKCupid took this to a new level when they started insisting that you provide a phone number. I got into some loop where I couldn't log in and I couldn't log out, because they kept hounding me about the phone number that I couldn't access my account settings to provide. Or something stupid like that. And you know what, OKC? You don't need my phone number, so piss off.
It's too bad. OKCupid was the best of the dating sites during its heyday.