On June 4, 2016 5:21:31 AM EDT, mray <m...@mray.de> wrote:
>On 04.06.2016 08:35, Karl Ove Hufthammer wrote:
>> Bryan Richter skreiv 04. juni 2016 03:47:
>>> There are two situations where I'm not sure what the best action is.
>> IMO, the best solution (in both cases) is to *not* reveal that the
>> has (or hasn’t) an account. If I’m trying to be anonymous, i don’t
>> people to be able to find out whether I have an account at
>> Snowdrift.coop. And if the user tries to create an account that
>> exists, *do* supply a ‘reset password’ link in the e-mail that is
>> (but don’t automatically reset the password).
>> See also http://security.stackexchange.com/a/90354

Another +1.

I think the email text should go along the lines of:

Hi, someone tried to create an account with this email address, but you already 
have a snowdrift.coop account.

If this was not you, no action is required. Your account is safe and no 
personal information has been revealed.

If this was you, would you like to [log in]() or [reset your password]()?


The reset password and create account processes should really each be tracked 
in user story. I won't be around until later in the day but when I am, I will 
copy this discussion to taiga, in an existing US if I can find one.
Sent from my Android device with K-9 Mail. Please excuse my brevity.
Discuss mailing list

Reply via email to