Problem/Motivation

Why is the login user name also used for screen display?
Just don't understand why drupal uses a login as a user name, it is not secure.
Secure systems never use login for anything like a screen name because it allows others to easily know the first component to access your account.

Proposed resolution

User name should be renamed to login and add a field named user name.
Also like many have asked, at this time make a radio selection box for
1 allow login with user login or email
2 login only
3 email only (system hides login field)

Remaining tasks

all

User interface changes

update fields in /admin/config/people/accounts/form-display/ & /display/
add login option to /admin/config/people/accounts

API changes

any module using name can continue using it for display. any module using name for login purpose would need to change.

Data model changes

change
user_data_field:name to user_data_field:login
add
user_data_field:name

Original report by [username]

I did search, not sure if anyone else has suggested this.

Comments

dsp1 created an issue. See original summary.

dsp1’s picture

dsp1 commented
Issue summary: View changes
idebr’s picture

idebr commented
Status: Active » Closed (duplicate)
Related issues: +#2629286: Use getDisplayName() for user names consistently

Hi dsp1,

This is being fixed in #2629286: Use getDisplayName() for user names consistently. I'll close this issue as a duplicate, so we can focus our efforts in the related issue.

dsp1’s picture

dsp1 commented
Component: base system » user.module
avpaderno’s picture

avpaderno
he/him
Primary language Italian
Location Brescia, 🇮🇹 🇪🇺
commented
Issue tags: -login, -username, -Security
dsp1’s picture

dsp1 commented
Version: 8.6.x-dev » 9.3.x-dev
Status: Closed (duplicate) » Active

I know this seems like a duplicate, that "duplicate" has not been fixed for years.
That duplicate is more about fixing issues so real name module works correctly.

I would like to see this security issue fixed in core.

How about a feature to set any user field, by checkbox setting to make the field the display name field.
ie. the checkbox tells the system to make that field the getDisplayName()

So you add a field, could be named, name, then check a box or button that makes the field the display in the whole system.
This way the username field is hidden so hackers cannot use that username to try to login.

Why is there such resistance from the higher ups to fix this security issue?

dsp1’s picture

dsp1 commented
Title: Rename user name to login, add user name as a screen name for improved security » add the ability to set a user field to the display name field for improved security
Issue summary: View changes

Version: 9.3.x-dev » 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.4.x-dev » 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 9.5.x-dev » 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 10.1.x-dev » 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Version: 11.x-dev » main

Drupal core is now using the main branch as the primary development branch. New developments and disruptive changes should now be targeted to the main branch.

Read more in the announcement.