On June 4, 2016 5:21:31 AM EDT, mray <m...@mray.de> wrote:
>
>
>On 04.06.2016 08:35, Karl Ove Hufthammer wrote:
>> Bryan Richter skreiv 04. juni 2016 03:47:
>>> There are two situations where I'm not sure what the best action is.
>> 
>> IMO, the best solution (in both cases) is to *not* reveal that the
>use
>> has (or hasn’t) an account. If I’m trying to be anonymous, i don’t
>want
>> people to be able to find out whether I have an account at
>> Snowdrift.coop. And if the user tries to create an account that
>already
>> exists, *do* supply a ‘reset password’ link in the e-mail that is
>sent
>> (but don’t automatically reset the password).
>> 
>> See also http://security.stackexchange.com/a/90354
>> 
>
>+1

Another +1.

I think the email text should go along the lines of:

Hi, someone tried to create an account with this email address, but you already 
have a snowdrift.coop account.

If this was not you, no action is required. Your account is safe and no 
personal information has been revealed.

If this was you, would you like to [log in]() or [reset your password]()?

----

The reset password and create account processes should really each be tracked 
in user story. I won't be around until later in the day but when I am, I will 
copy this discussion to taiga, in an existing US if I can find one.
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
_______________________________________________
Discuss mailing list
Discuss@lists.snowdrift.coop
https://lists.snowdrift.coop/mailman/listinfo/discuss

Reply via email to