> > I meant more of "email a reset password link" to users. Then again, your > > approach might be better because people can navigate to the site on > > their own rather than trusting a link in an email (which could be > > phishing them, technically). Would you agree? > > Well, it's not phishing them if it's a legitimate link. :-) But yes, > emailing them a temp password then setting the system to force a > password change on next login is a reasonably good practice. If an > attacker is trying to jack their account they'll get the email and can > take appropriate action.
Ha, indeed. I mean more that a security-aware user might worry about the legitimate email being a phishing email. Then again, sites do this ALL the time so people can't be that concerned. Plus the user just REQUESTED a reset password link, so they can't be that surprised when they get one :) Arg, talking myself in circles I think. The more I think about all of this stuff, the more I realize there really is no ideal way to do anything. There is definitely a non-ideal way though, which is what my client is proposing at the moment :) Has anyone ever seen a site where, if you forget your password, you simply have to provide the answer to your "secret question", and boom, you're in the site? It feels crazy to me, but maybe I'm missing something :P One of the members on the project team claims this was the practice at the (big-5 Canadian) bank he worked at, but I just keep thinking he must be forgetting a detail... Meredith ________________________________________________________________ Welcome to the Interaction Design Association (IxDA)! To post to this list ....... [EMAIL PROTECTED] Unsubscribe ................ http://www.ixda.org/unsubscribe List Guidelines ............ http://www.ixda.org/guidelines List Help .................. http://www.ixda.org/help
