Re: [Snowdrift-discuss] UX questions for password reset

2016-06-04 Thread Stephen Michel 


On June 4, 2016 5:21:31 AM EDT, mray  wrote:
>
>
>On 04.06.2016 08:35, Karl Ove Hufthammer wrote:
>> Bryan Richter skreiv 04. juni 2016 03:47:
>>> There are two situations where I'm not sure what the best action is.
>> 
>> IMO, the best solution (in both cases) is to *not* reveal that the
>use
>> has (or hasn’t) an account. If I’m trying to be anonymous, i don’t
>want
>> people to be able to find out whether I have an account at
>> Snowdrift.coop. And if the user tries to create an account that
>already
>> exists, *do* supply a ‘reset password’ link in the e-mail that is
>sent
>> (but don’t automatically reset the password).
>> 
>> See also http://security.stackexchange.com/a/90354
>> 
>
>+1

Another +1.

I think the email text should go along the lines of:

Hi, someone tried to create an account with this email address, but you already 
have a snowdrift.coop account.

If this was not you, no action is required. Your account is safe and no 
personal information has been revealed.

If this was you, would you like to [log in]() or [reset your password]()?



The reset password and create account processes should really each be tracked 
in user story. I won't be around until later in the day but when I am, I will 
copy this discussion to taiga, in an existing US if I can find one.
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
Discuss mailing list
Discuss@lists.snowdrift.coop
https://lists.snowdrift.coop/mailman/listinfo/discuss

Re: [Snowdrift-discuss] UX questions for password reset

2016-06-04 Thread mray 


On 04.06.2016 08:35, Karl Ove Hufthammer wrote:
> Bryan Richter skreiv 04. juni 2016 03:47:
>> There are two situations where I'm not sure what the best action is.
> 
> IMO, the best solution (in both cases) is to *not* reveal that the use
> has (or hasn’t) an account. If I’m trying to be anonymous, i don’t want
> people to be able to find out whether I have an account at
> Snowdrift.coop. And if the user tries to create an account that already
> exists, *do* supply a ‘reset password’ link in the e-mail that is sent
> (but don’t automatically reset the password).
> 
> See also http://security.stackexchange.com/a/90354
> 

+1



signature.asc
Description: OpenPGP digital signature
___
Discuss mailing list
Discuss@lists.snowdrift.coop
https://lists.snowdrift.coop/mailman/listinfo/discuss

Re: [Snowdrift-discuss] UX questions for password reset

2016-06-04 Thread Karl Ove Hufthammer 

Bryan Richter skreiv 04. juni 2016 03:47:

There are two situations where I'm not sure what the best action is.


IMO, the best solution (in both cases) is to *not* reveal that the use 
has (or hasn’t) an account. If I’m trying to be anonymous, i don’t want 
people to be able to find out whether I have an account at 
Snowdrift.coop. And if the user tries to create an account that already 
exists, *do* supply a ‘reset password’ link in the e-mail that is sent 
(but don’t automatically reset the password).


See also http://security.stackexchange.com/a/90354

--
Karl Ove Hufthammer
___
Discuss mailing list
Discuss@lists.snowdrift.coop
https://lists.snowdrift.coop/mailman/listinfo/discuss