On Mon, Jun 06, 2016 at 02:06:13PM -0400, Stephen Michel wrote:
> On Mon, Jun 6, 2016 at 12:11 PM, Michael Siepmann wrote:
> >On 06/04/2016 06:56 AM, Stephen Michel wrote:
> >>
> >> On June 4, 2016 5:21:31 AM EDT, mray wrote:
> >>>
> >>> On 04.06.2016 08:35, Karl Ove Hufthammer wrote:
> Bryan Richter skreiv 04. juni 2016 03:47:
> > There are two situations where I'm not sure what the best
> >action is.
> IMO, the best solution (in both cases) is to *not* reveal that
> the use has (or hasn’t) an account. If I’m trying to be
> anonymous, i don’t want people to be able to find out whether I
> have an account at Snowdrift.coop. And if the user tries to
> create an account that already exists, *do* supply a ‘reset
> password’ link in the e-mail that is sent (but don’t
> automatically reset the password).
>
> See also http://security.stackexchange.com/a/90354
>
> >>> +1
> >> Another +1.
> >>
> >> I think the email text should go along the lines of:
> >>
> >> Hi, someone tried to create an account with this email address,
> >>but you already have a snowdrift.coop account.
> >>
> >> If this was not you, no action is required. Your account is
> >>safe and no personal information has been revealed.
> >>
> >> If this was you, would you like to [log in]() or [reset your
> >>password]()?
> >>
> >>
> >>
> >> The reset password and create account processes should really
> >>each be tracked in user story. I won't be around until later in
> >>the day but when I am, I will copy this discussion to taiga, in an
> >>existing US if I can find one.
> >+1 but I think there should be two different email texts, depending
> >on whether the action that triggered it was an attempt to create
> >and account or to reset a password.
>
> +1, that was specifically for the create account case. Perhaps the
> reset password could go like this:
>
> Hi, someone requested a link to reset your account password.
>
> If this was you, you may follow [this link]() to reset your
> password. It will expire in X minutes.
>
> If this was not you, no action is required. Your account is safe and
> no personal information has been revealed. If this has happened
> before recently or you believe someone is trying to gain
> unauthorized access to your account, do [XYZ].
> ---
> I'm not sure about whether I want to drop that last sentence or not.
Thanks for all the suggestions, folks. This confirms my own opinion on
the matter. :)
signature.asc
Description: Digital signature
___
Discuss mailing list
Discuss@lists.snowdrift.coop
https://lists.snowdrift.coop/mailman/listinfo/discuss
