On Aug 21, 2009, at 10:22 AM, Laura Malone wrote:
My question is, have you resolved this conflict in your website, and if so, how?
Facebook pretends to send the email. Of course when the user doesn't receive the message, they lose confidence in whether the "lost password" function is working correctly.
One way to address this without compromising security is to send an email with the error report to the non-registered address instead of displaying the error on the web page. In this way the user still receives valuable feedback (with a link back to site registration if appropriate) while automated bots are unable to ascertain whether the address was valid or not. You should also throttle the "forgot password" function to avoid it being abused. For example, after five attempts the ability to reset a lost password is unavailable for five minutes.
Cheers, -corn Corn Walker The Proof Group ________________________________________________________________ Welcome to the Interaction Design Association (IxDA)! To post to this list ....... disc...@ixda.org Unsubscribe ................ http://www.ixda.org/unsubscribe List Guidelines ............ http://www.ixda.org/guidelines List Help .................. http://www.ixda.org/help