[Cosmo-dev] "Forgot Password" workflow

[Travis Vachon]

Hi folks

I'm starting work on bug 7709: implement "forgot password" workflow.  
The basic idea is that we'll have a way to recover lost passwords via  
a link on the login page.

There are a couple different ways of implementing this, which I've  
seen in various forms in different spots on the web:

1) User enters username, service sends password to email address  
registered for that username
2) User enters email address, service sends password (and username?)  
to that email address if and only if a user associated with that  
address exists

I believe both would be similar in terms of implementation, so I was  
wondering if anyone has a preference.

My preference is for email address, since I often have different  
usernames on different services, but almost always use the same email  
address. This is because email address is a UUID, while username is  
only unique within the service. To put it another way, I am sometimes  
forced to use a name other than "travis", but almost always provide  
travis.vachon at gmail.com. Thus, when returning to a site I haven't  
used for a while (as will likely be the case for users of this  
feature) I find it easier to recover my password if they ask for an  
email address.

Any thoughts?

Thanks!

Travis