Re: [Snowdrift-discuss] UX questions for password reset
On June 4, 2016 5:21:31 AM EDT, mraywrote: > > >On 04.06.2016 08:35, Karl Ove Hufthammer wrote: >> Bryan Richter skreiv 04. juni 2016 03:47: >>> There are two situations where I'm not sure what the best action is. >> >> IMO, the best solution (in both cases) is to *not* reveal that the >use >> has (or hasn’t) an account. If I’m trying to be anonymous, i don’t >want >> people to be able to find out whether I have an account at >> Snowdrift.coop. And if the user tries to create an account that >already >> exists, *do* supply a ‘reset password’ link in the e-mail that is >sent >> (but don’t automatically reset the password). >> >> See also http://security.stackexchange.com/a/90354 >> > >+1 Another +1. I think the email text should go along the lines of: Hi, someone tried to create an account with this email address, but you already have a snowdrift.coop account. If this was not you, no action is required. Your account is safe and no personal information has been revealed. If this was you, would you like to [log in]() or [reset your password]()? The reset password and create account processes should really each be tracked in user story. I won't be around until later in the day but when I am, I will copy this discussion to taiga, in an existing US if I can find one. -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ Discuss mailing list Discuss@lists.snowdrift.coop https://lists.snowdrift.coop/mailman/listinfo/discuss
Re: [Snowdrift-discuss] UX questions for password reset
On 04.06.2016 08:35, Karl Ove Hufthammer wrote: > Bryan Richter skreiv 04. juni 2016 03:47: >> There are two situations where I'm not sure what the best action is. > > IMO, the best solution (in both cases) is to *not* reveal that the use > has (or hasn’t) an account. If I’m trying to be anonymous, i don’t want > people to be able to find out whether I have an account at > Snowdrift.coop. And if the user tries to create an account that already > exists, *do* supply a ‘reset password’ link in the e-mail that is sent > (but don’t automatically reset the password). > > See also http://security.stackexchange.com/a/90354 > +1 signature.asc Description: OpenPGP digital signature ___ Discuss mailing list Discuss@lists.snowdrift.coop https://lists.snowdrift.coop/mailman/listinfo/discuss
Re: [Snowdrift-discuss] UX questions for password reset
Bryan Richter skreiv 04. juni 2016 03:47: There are two situations where I'm not sure what the best action is. IMO, the best solution (in both cases) is to *not* reveal that the use has (or hasn’t) an account. If I’m trying to be anonymous, i don’t want people to be able to find out whether I have an account at Snowdrift.coop. And if the user tries to create an account that already exists, *do* supply a ‘reset password’ link in the e-mail that is sent (but don’t automatically reset the password). See also http://security.stackexchange.com/a/90354 -- Karl Ove Hufthammer ___ Discuss mailing list Discuss@lists.snowdrift.coop https://lists.snowdrift.coop/mailman/listinfo/discuss