On 06/04/2016 06:56 AM, Stephen Michel wrote:
> On June 4, 2016 5:21:31 AM EDT, mray <m...@mray.de> wrote:
>> On 04.06.2016 08:35, Karl Ove Hufthammer wrote:
>>> Bryan Richter skreiv 04. juni 2016 03:47:
>>>> There are two situations where I'm not sure what the best action is.
>>> IMO, the best solution (in both cases) is to *not* reveal that the
>> use
>>> has (or hasn’t) an account. If I’m trying to be anonymous, i don’t
>> want
>>> people to be able to find out whether I have an account at
>>> Snowdrift.coop. And if the user tries to create an account that
>> already
>>> exists, *do* supply a ‘reset password’ link in the e-mail that is
>> sent
>>> (but don’t automatically reset the password).
>>> See also http://security.stackexchange.com/a/90354
>> +1
> Another +1.
> I think the email text should go along the lines of:
> Hi, someone tried to create an account with this email address, but you 
> already have a snowdrift.coop account.
> If this was not you, no action is required. Your account is safe and no 
> personal information has been revealed.
> If this was you, would you like to [log in]() or [reset your password]()?
> ----
> The reset password and create account processes should really each be tracked 
> in user story. I won't be around until later in the day but when I am, I will 
> copy this discussion to taiga, in an existing US if I can find one.
+1 but I think there should be two different email texts, depending on
whether the action that triggered it was an attempt to create and
account or to reset a password.

Attachment: signature.asc
Description: OpenPGP digital signature

Discuss mailing list

Reply via email to