Forget my login Email but have userID and password

I have my account username like If0_1234xyz and my InfintyFree dashboard password

I want to login my account dashboard but unable to login without Email when and unable to find my email account , there is not another way to login and not any section to find Email by UserID


completely lost my account and there is not another way to recover

suggestion for improvement
  • User can login by there UserID and infinity Dashboard password
  • if possible then please Add forget Email section , user can get Email address detail by there userID and Password

Please don’t use HTML heading tags, there is no need.

And did you even look at the forgot password page? Because you can retrieve your account based on your username:

https://dash.infinityfree.com/forgot-password

Once you enter your account username just check you email inboxes to find which one the reset email got sent to.

5 Likes

ThankYou sir , but I followed these steps already visited Forget password page This will send verification mail to registered Email account

Actully recently I formet my device without any backup and lost all account and there data including my Email accounts and now I forget that which email I used to make my thats account so I submitted this forum
Now I have just userId and Password need just two things

  1. able to login with userID or password
  2. A new form page that tell me about Email

A form where you could enter a username and get the email address would be a massive data breach. It would make it trivial for hackers to get people’s email address from our system, because usernames are not private data. Or worse, it would allow hackers to obtain a full list of all user email addresses by simply enumerating the usernames.

So forms that will give the email address are very dangerous.

I understand that being able to login with hosting account usernames would be beneficial to you, however it has a few problems:

  • The obvious confusion caused by using a hosting account username with a client area password.
  • Alternatively, the security issue of logging in to the client area with hosting account usernames and passwords, which are less well protected that client area credentials. This could technically be considered a privilege escalation exploit, which is a quite severe category of security issues.
  • Many more people who don’t know their email address also don’t know their passwords, in which case this functionality would not be helpful.
  • It’s quite difficult to implement.

Basically everyone agrees that systems should be secure, but it’s when that security comes at the expense of usability that it starts to cause resistance.

Please understand any mechanism to recover accounts (bypassing the usual authentication flow) could create an account takeover vulnerability if not implemented perfectly. For this reason, there are situations in which you can lose access to your accounts for which we do not have a recovery mechanism.

We don’t do this because we don’t care or because we want to punish you, it’s just that we want to have absolute certainty that we are not giving anyone other than you access to your accounts. And getting that right is difficult.

5 Likes

@Admin I agree with you sir , may be username is not a private data but password also a private credentials it can be use to verify and may be secure from hackers

Password authentication can secure user private data form hacker it works like a security bridge

alternatively infinityfree can provide hint of Email address when a user submit
Forgot Password Form when a user submit this form appear Email address like

user34*****@domin.com

or
user34****@*****.com

Google and microsoft also use this method for account recovery as alternative mail verification

May be these suggestion works and many user get there account again because I show some query about this topic

And at the end i submitted this

I hope InfintyFree will works on our query and we’ll get account access again

See also:

I understand that having such a feature would help you in this case, however, there are a lot of problems with it:

  • Even showing part of the email address means that the system exposes PII, which should be handled with extreme care.
  • How much data can be shown safely? Your user34****@example.com works great if the domain is gmail.com, but what if the email is [email protected]? Then showing the first 6 characters of the local part and the domain name isn’t exactly secure.
  • How much data needs to be known? Showing j**e@gl.com might be enough for some, but not for others.

Please understand that Google and Microsoft have armies of security experts working on their authentication system to make it absolutely secure, and there is probably more than meets the eye for their authentication systems. Like risk scoring based on a lot of extra metrics to determine how much of the email address they can show. I don’t have that luxury.

For example, I know that they do )or at least used to do) what you said, but I’m unable to trigger the behavior myself.

You don’t need to convince me that there are many people who would benefit from account recovery options. However, there are a lot of additional scenarios to consider than “I know the password but not the email address”, such as:

  • People don’t know the email address and password.
  • People don’t know their account usernames.
  • People know the email address, but not the password, but the email address is not accessible (e.g. it was deleted, or they forgot the password to that too).

And you have to understand that we are talking about authentication here. It has to be done exactly right. Do it wrong, and you’re rolling out the red carpet for hackers to obtain people’s personal information and take over their accounts.

I would love to add recovery mechanisms to help people, but I don’t want to undermine the security of the platform by doing so. And it should be something that’s feasible to implement for us (you have to consider that InfinityFree doesn’t have the same engineering capacity as Google or Microsoft).

And as far as I can tell, there are no recommendations for implementing something like this properly.

6 Likes

@Admin ThanYou Sir ,
Topic can be close now

As a little bit of a closing note, I did some investigation into other security systems, recommendations and especially off-the-shelf authentication platforms regarding what they do.

None of them have an email recovery mechanism. It almost always works by sending a reset link or code to the email address, in which case you need to enter the email address.

This includes Google’s own Firebase Auth, by the way.

In most systems, the only way to reset a password if you don’t know or have access to the email address is to use a secondary recovery address or a phone number (with SMS). However, this does require initial setup ahead of time (configuration of phone numbers and recovery emails), which is less than practical.

General security recommendations state that you should provide as little information as possible on the login and recovery pages, even acknowledging the existence of an account given a particular email address is not recommended.

Google and Microsoft do do this, but they have enough security expertise in-house that they can deviate from the recommendations without sacrificing security. But to then say “$trillionDollarCompany can do it, so you can too” is a bit of a stretch.

I think it’s best to just stick to the generally accepted security recommendations. Which means we cannot show email addresses during the password recovery procedure.

6 Likes

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.