Skype screwed up and it got revealed today. Due to a series of stupid things, there is (was) a trivial way to hijack anyone’s account. One of the stupid things is that they allowed a 2nd user to register with an email that is already registered. I have seen this many times, with forums, groupon-like sites (there I debugged their system over the phone), and whatnot – too many systems lack a unique constraint on their email column.
Even though the problems are not always that big as with Skype, you should always have a unique constraint on the email column in the users table. Because that’s what the logic says – one user – one email. If you allow a 2nd user with the same email, then “forgotten password” works for which account? What about emails about promotions – duplicate emails will be sent. Any many more issues coming from not paying attention to this simple thing.
Have in mind that the unique constraint is best imposed at a database level. If you have it just in your code, some future code or change might not obey it.
So, tip of the day – make your email column unique.