On 06/04/2016 06:56 AM, Stephen Michel wrote: > > On June 4, 2016 5:21:31 AM EDT, mray <m...@mray.de> wrote: >> >> On 04.06.2016 08:35, Karl Ove Hufthammer wrote: >>> Bryan Richter skreiv 04. juni 2016 03:47: >>>> There are two situations where I'm not sure what the best action is. >>> IMO, the best solution (in both cases) is to *not* reveal that the >> use >>> has (or hasn’t) an account. If I’m trying to be anonymous, i don’t >> want >>> people to be able to find out whether I have an account at >>> Snowdrift.coop. And if the user tries to create an account that >> already >>> exists, *do* supply a ‘reset password’ link in the e-mail that is >> sent >>> (but don’t automatically reset the password). >>> >>> See also http://security.stackexchange.com/a/90354 >>> >> +1 > Another +1. > > I think the email text should go along the lines of: > > Hi, someone tried to create an account with this email address, but you > already have a snowdrift.coop account. > > If this was not you, no action is required. Your account is safe and no > personal information has been revealed. > > If this was you, would you like to [log in]() or [reset your password]()? > > ---- > > The reset password and create account processes should really each be tracked > in user story. I won't be around until later in the day but when I am, I will > copy this discussion to taiga, in an existing US if I can find one. +1 but I think there should be two different email texts, depending on whether the action that triggered it was an attempt to create and account or to reset a password.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Discuss mailing list Discuss@lists.snowdrift.coop https://lists.snowdrift.coop/mailman/listinfo/discuss