Track invitations with email address other than login

rdenichilo

I am trying to track invitations to view photos using the share feature. However, it seams like the only way to track the invitations is to log in. For security purposes, I do not want to use the login email as a public email for my site.

My question is, is there a way to track invitations while using an email address other than your login to send the invitation?

Andy

rdenichilo wrote:

I am trying to track invitations to view photos using the share feature. However, it seams like the only way to track the invitations is to log in. For security purposes, I do not want to use the login email as a public email for my site.

My question is, is there a way to track invitations while using an email address other than your login to send the invitation?

Change your account email address, sure. You do this in control panel.

rdenichilo

Andy wrote:

Change your account email address, sure. You do this in control panel.

Hi Andy,

Thanks for the quick response. The problem is, I do not want to change the login email for the site. I want to use the public email that is visible in the contact us page to send out invitations. I do not think it is good security to use a publically known email address as a login. That only leaves your password as a barrier to your account, which contains credit card info, and allows someone to mess with your site. I know I can send the invitation using any email address, but then I cannot track it.

Maybe I am being paranoid, but I don't think the login email should be a publically known email address.

Andy

rdenichilo wrote:

Hi Andy,

Thanks for the quick response. The problem is, I do not want to change the login email for the site. I want to use the public email that is visible in the contact us page to send out invitations. I do not think it is good security to use a publically known email address as a login. That only leaves your password as a barrier to your account, which contains credit card info, and allows someone to mess with your site. I know I can send the invitation using any email address, but then I cannot track it.

Maybe I am being paranoid, but I don't think the login email should be a publically known email address.

It cannot be changed now, but I'll be sure the team sees your concerns. Thanks!

BeachBill

rdenichilo wrote:

Thanks for the quick response. The problem is, I do not want to change the login email for the site. I want to use the public email that is visible in the contact us page to send out invitations. I do not think it is good security to use a publically known email address as a login. That only leaves your password as a barrier to your account, which contains credit card info, and allows someone to mess with your site. I know I can send the invitation using any email address, but then I cannot track it.

Maybe I am being paranoid, but I don't think the login email should be a publically known email address.

I believe what Andy was saying, is that you can temporarily change the e-mail address, send the invitation, then change it back.

Also, are you aware that you can use your account username in the "email" field when logging in? If someone knows your accountname.smugmug.com address, then they already have one half of the information needed to log into your account.

rdenichilo

BeachBill wrote:

I believe what Andy was saying, is that you can temporarily change the e-mail address, send the invitation, then change it back.

Ah, I didn't get that. Thanks for the clarification. I will try that.

BeachBill wrote:

Also, are you aware that you can use your account username in the "email" field when logging in? If someone knows your accountname.smugmug.com address, then they already have one half of the information needed to log into your account.

No, I did not realize that. That does not diminish my point though. Maybe that should be changed so that you can only log in with a unique username.

BeachBill

All I can suggest is to make sure you are using a strong password.

AnneMcBean

rdenichilo wrote:

No, I did not realize that. That does not diminish my point though. Maybe that should be changed so that you can only log in with a unique username.

Unique username? Your SmugMug nickname is unique... are you suggesting another identifier aside from email address or SmugMug nick?

A good password is not guessable and could be 10+ characters long. I guess I don't understand why an extra identifier would be important?

-Anne

AnneMcBean

BeachBill wrote:

All I can suggest is to make sure you are using a strong password.

-Anne

rdenichilo

AnneMcBean wrote:

Unique username? Your SmugMug nickname is unique... are you suggesting another identifier aside from email address or SmugMug nick?

A good password is not guessable and could be 10+ characters long. I guess I don't understand why an extra identifier would be important?

-Anne

I just don't think that our usernames should be publically known or so easy to figure out. Our accounts contain credit card info, and I spent a lot of time customizing my site. Yes, a strong password is essential and may be sufficient. But even better would be a username that is not publically associated with our accounts. I just think that is stronger security than relying on just a password. And better policy.

jfriend

rdenichilo wrote:

I just don't think that our usernames should be publically known or so easy to figure out. Our accounts contain credit card info, and I spent a lot of time customizing my site. Yes, a strong password is essential and may be sufficient. But even better would be a username that is not publically associated with our accounts. I just think that is stronger security than relying on just a password. And better policy.

From a security standpoint, what you are saying is that you want to have two secrets to guard your login, your username and your password instead of just one secret (your password). You can do that if you want and two secrets are more secure than one.

But, from a pure security standpoint, you can achieve the same amount of true security by using one secret (your password) that is simply longer. So, if you just lengthen your password and make sure it follows the typical password hygiene rules (no repeating chars, mixture of alpha and numerics, no actual dictionary words, etc...), a long password can be very secure and can be as secure as using a shorter password and a secret login ID.

It's totally up to you. I'm not trying to talk you into one thing or the other, just making sure you understand the options.

Also, as ecommerce sites go, there's not much that one can do to your credit card on Smugmug's site. To my knowledge, you can't get the credit card info out of Smugmug's site (even if logged in) and you can't buy anything other than an upgrade to a higher account level without resubmitting the credit card info, I think of it as a lot different than protecting your Amazon account.

rdenichilo

jfriend wrote:

From a security standpoint, what you are saying is that you want to have two secrets to guard your login, your username and your password instead of just one secret (your password). You can do that if you want and two secrets are more secure than one.

But, from a pure security standpoint, you can achieve the same amount of true security by using one secret (your password) that is simply longer. So, if you just lengthen your password and make sure it follows the typical password hygiene rules (no repeating chars, mixture of alpha and numerics, no actual dictionary words, etc...), a long password can be very secure and can be as secure as using a shorter password and a secret login ID.

It's totally up to you. I'm not trying to talk you into one thing or the other, just making sure you understand the options.

Also, as ecommerce sites go, there's not much that one can do to your credit card on Smugmug's site. To my knowledge, you can't get the credit card info out of Smugmug's site (even if logged in) and you can't buy anything other than an upgrade to a higher account level without resubmitting the credit card info, I think of it as a lot different than protecting your Amazon account.

All good and valid points. I don't want to make this a bigger issue than it needs to be, but in the sake of discussion I belive the point is that the difference between smugmug and amazon is that no one else necessarily knows my amazon username. But, they may know my gmail, or yahoo username. So it is not unsual to have one secret. Its just that in thinking about it, I believe that two secrets are better than one no matter how secure your password is.

jfriend

rdenichilo wrote:

All good and valid points. I don't want to make this a bigger issue than it needs to be, but in the sake of discussion I belive the point is that the difference between smugmug and amazon is that no one else necessarily knows my amazon username. But, they may know my gmail, or yahoo username. So it is not unsual to have one secret. Its just that in thinking about it, I believe that two secrets are better than one no matter how secure your password is.

I'll make one final comment and then let you handle it how you want.

On Amazon, my user name is my email address and I think that's how it works for everyone - same as Smugmug. I have a much, much more robust password on Amazon because there is real ecommerce risk there.

BeachBill

Just throwing this question out for discussion...

What is stronger, or are they the same:

1) 8 charcater secret username + 8 character password

2) 16 character password

Assuming both use strong password common sense.