Re: [Snowdrift-discuss] UX questions for password reset

Mon, 06 Jun 2016 11:06:57 -0700

On Mon, Jun 6, 2016 at 12:11 PM, Michael Siepmann <m...@techdesignpsych.com> wrote: 
On 06/04/2016 06:56 AM, Stephen Michel wrote:


 On June 4, 2016 5:21:31 AM EDT, mray <m...@mray.de> wrote:


 On 04.06.2016 08:35, Karl Ove Hufthammer wrote:

 Bryan Richter skreiv 04. juni 2016 03:47:

 There are two situations where I'm not sure what the best action 
is.

 IMO, the best solution (in both cases) is to *not* reveal that the

 use

 has (or hasn’t) an account. If I’m trying to be anonymous, i 
don’t

 want

 people to be able to find out whether I have an account at
 Snowdrift.coop. And if the user tries to create an account that

 already

 exists, *do* supply a ‘reset password’ link in the e-mail 
that is

 sent

 (but don’t automatically reset the password).

 See also http://security.stackexchange.com/a/90354


 +1

 Another +1.

 I think the email text should go along the lines of:


 Hi, someone tried to create an account with this email address, but 
you already have a snowdrift.coop account.



 If this was not you, no action is required. Your account is safe 
and no personal information has been revealed.



 If this was you, would you like to [log in]() or [reset your 
password]()?


 ----


 The reset password and create account processes should really each 
be tracked in user story. I won't be around until later in the day 
but when I am, I will copy this discussion to taiga, in an existing 
US if I can find one.

+1 but I think there should be two different email texts, depending on
whether the action that triggered it was an attempt to create and
account or to reset a password.



+1, that was specifically for the create account case. Perhaps the 
reset password could go like this:


Hi, someone requested a link to reset your account password.


If this was you, you may follow [this link]() to reset your password. 
It will expire in X minutes.



If this was not you, no action is required. Your account is safe and no 
personal information has been revealed. If this has happened before 
recently or you believe someone is trying to gain unauthorized access 
to your account, do [XYZ].

---
I'm not sure about whether I want to drop that last sentence or not.

_______________________________________________
Discuss mailing list
Discuss@lists.snowdrift.coop
https://lists.snowdrift.coop/mailman/listinfo/discuss






















					Reply via email to