On Mon, Jun 06, 2016 at 02:06:13PM -0400, Stephen Michel wrote: > On Mon, Jun 6, 2016 at 12:11 PM, Michael Siepmann wrote: > >On 06/04/2016 06:56 AM, Stephen Michel wrote: > >> > >> On June 4, 2016 5:21:31 AM EDT, mray wrote: > >>> > >>> On 04.06.2016 08:35, Karl Ove Hufthammer wrote: > >>>> Bryan Richter skreiv 04. juni 2016 03:47: > >>>>> There are two situations where I'm not sure what the best > >>>>>action is. > >>>> IMO, the best solution (in both cases) is to *not* reveal that > >>>> the use has (or hasn’t) an account. If I’m trying to be > >>>> anonymous, i don’t want people to be able to find out whether I > >>>> have an account at Snowdrift.coop. And if the user tries to > >>>> create an account that already exists, *do* supply a ‘reset > >>>> password’ link in the e-mail that is sent (but don’t > >>>> automatically reset the password). > >>>> > >>>> See also http://security.stackexchange.com/a/90354 > >>>> > >>> +1 > >> Another +1. > >> > >> I think the email text should go along the lines of: > >> > >> Hi, someone tried to create an account with this email address, > >>but you already have a snowdrift.coop account. > >> > >> If this was not you, no action is required. Your account is > >>safe and no personal information has been revealed. > >> > >> If this was you, would you like to [log in]() or [reset your > >>password]()? > >> > >> ---- > >> > >> The reset password and create account processes should really > >>each be tracked in user story. I won't be around until later in > >>the day but when I am, I will copy this discussion to taiga, in an > >>existing US if I can find one. > >+1 but I think there should be two different email texts, depending > >on whether the action that triggered it was an attempt to create > >and account or to reset a password. > > +1, that was specifically for the create account case. Perhaps the > reset password could go like this: > > Hi, someone requested a link to reset your account password. > > If this was you, you may follow [this link]() to reset your > password. It will expire in X minutes. > > If this was not you, no action is required. Your account is safe and > no personal information has been revealed. If this has happened > before recently or you believe someone is trying to gain > unauthorized access to your account, do [XYZ]. > --- > I'm not sure about whether I want to drop that last sentence or not.
Thanks for all the suggestions, folks. This confirms my own opinion on the matter. :)
signature.asc
Description: Digital signature
_______________________________________________ Discuss mailing list Discuss@lists.snowdrift.coop https://lists.snowdrift.coop/mailman/listinfo/discuss