cPanel & WHM Version 114 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Login with individual loginname instead of login=emailadress

lorio shared this idea 8 years ago
Needs Review

To prevent bruteforce login success an option to change loginnames from the emailadress to an individual loginname would be nice.

Replies (2)


This is not something we will consider. The various accounts that follow the format of require that format in order to be unique on the server. If we allowed login within the domain portion then a given email address (for example) could only be used once on the server.

cPanel & WHM are most commonly used on servers with 10s, 100s, or 1000s of accounts, with corresponding domains. If we suddenly began restricting email addresses on those systems it would cause significant support costs and drive people away from their service providers, and cPanel & WHM.


Your reasoning sounds like nobody could offer a solution. There are many shades of grey between black and white.

Userprefix on mysql databases where following the same reasoning.

Five years ago there weren't many cpanel specific attacks. Now I see them every day on ports and with the knowledge of username=emailaddress. And complex passwords drive away customers too.

Perhaps a prefix or suffix generated when creation the account or domain can be added to the emailadress to form the username. That way a check for collision could be reduced to the time when creation a new account.



We already have a solution in place: the domain name is the suffix.

If I understand your proposal correctly, you want to replace a current working system with a different system. The reason for the proposal is to reduce the number of accounts that are locked out due to brute force attacks (or perhaps are even compromised to weak passwords). Is that an accurate understanding?

Without knowing more about your systems and infrastructure I would recommend looking into the various other tools available for mitigating brute force attacks, such as source IP checks, limiting logins by IP address and such.


When you install Wordpress the first recommendation is not to use admin as a username but to create a username not easily guessed.

To me there is a difference between an individual username (or prefix/suffix with emailadress) and an already known emailadress. The attack vector is different. You recommendation is already in place. But it's the same as when you recommend a public person to get a answering machine instead of a secret telephone number ;-)

So if the suffix/prefix is widely known, I don't need the suffix/prefix at all.

The next thing I waiting is that someone is bringing up "security by obscurity".

As long as many dumb attacks are done in massive amounts it still makes sense in certain areas.

Replies have been locked on this page!