[Cosmo-dev] "Forgot Password" workflow
Brian Moseley
bcm at osafoundation.org
Tue Feb 20 11:46:00 PST 2007
On 2/15/07, Jared Rhine <jared at wordzoo.com> wrote:
> - Password "reset" is all well and good, but the process isn't complete
> until the user has changed their password again. They aren't going to
> remember just a reset password, and the places they have a password
> entered (like Chandler account dialog) need to be updated to.
>
> So question: instead of "click a link to reset", would it be better to
> "click a link to go to a page where the user can enter a new password"?
> After the password change form, they should be logged right in.
>
> We might even want to remind them that their clients need to be in sync.
+1
> I tend to think that the above approach of "click here to change your
> password", forcing a password change, and then being logged-in
> accomplishes the same effect.
i agree, and i'm pretty uncomfortable with the notion of letting
somebody into an account without them providing any credentials. sure,
they had to receive an email with a special link in it, but almost
nobody uses securely transported email either.
> However, "forcing a password change" doesn't cover the case that
> Foxmarks' design does, of where they are trying to access the web UI and
> have just forgotten their password. They get temporary web UI access by
> clicking on the link, and they can just leave their client as it is
> (since their client probably has the right password).
i'd rather not go this far until we see a huge demand from our users.
More information about the cosmo-dev
mailing list