If you’re annoyed by the new requirement to have a unique email address for every user, you’re definitely not alone.
We don’t much like it either. Back in the early days of our service, we learned very quickly that many small companies don’t have email addresses for each employee. For that reason, we allowed users to login to the service using their numeric userID. That was a decision we made back in 2005.
Unfortunately, times have changed. There are many more bad guys online today than there were 17 years ago. Also, the hacks people use and the methods employed to break into accounts are more varied than ever. Attacks are frequent, and can take many forms. With this in mind, using sequential numeric IDs is no longer a wise choice.
The main problem with numeric IDs is their predictability. Any experienced hacker will quickly figure out our entire database of usernames and could use that information in brute force attacks across the platform. The risks posed by this vulnerability must be addressed to remain safe in today’s evolving environment.
In addition to the risks, we are also scanned by our technology partners for vulnerabilities. In order to partner with companies like Intuit, Gusto, and our merchant bank, we are required to undergo periodic testing, and those tests have identified the userID as a vulnerable point in our armor. While we have not been told service with our partners will be suspended at this time, such declarations are likely to be received soon, and Timesheets.com prefers to get ahead of the inevitable changes that will be required.
For these reasons and others, we’re forced to remove access to the site via userID and will rely on the internet standard practice of using an email address for authentication.
If you’re one of those companies who doesn’t have an email address for each employee, don’t worry. You do have some options.
- You can use the employees personal email address. There’s no reason not to. We don’t market to employees, ever. So their email address is safe with us.
- You can create new email addresses for free with Google and many other services. It’s fast, and easy. If you’re employee’s userID was 273835, then we suggest making the email address similar to that, for example: [email protected] or [email protected]. This will help your users remember their username while still hiding the username from the bad guys.
- You can create an email address that doesn’t exist, such as [email protected] (where you use whatever values you want as long as it’s in the format of an email address). NOTE: we do not recommend this approach. It’s the easiest, to be sure, but it also means that employees will not receive notifications of any kind, and won’t be able to use the self-serve reset password function when they need it.
- If your employee has a cell phone, they may also have an associated cell phone number email. For instance, AT&T has email addresses for their clients derived from their phone numbers. If an employee with AT&T’s phone number is 800 555-1212, then their email address would be [email protected].
We understand this is inconvenient, but security is rarely fun. The good news is that Timesheets.com cares about security and will continue to work towards a better and more secure environment today and in the future.