Re: [Snowdrift-discuss] UX questions for password reset

[Bryan Richter]

By the way: https://tree.taiga.io/project/snowdrift/us/392


signature.asc
Description: Digital signature
___
Discuss mailing list
Discuss@lists.snowdrift.coop
https://lists.snowdrift.coop/mailman/listinfo/discuss

Re: [Snowdrift-discuss] UX questions for password reset

[Bryan Richter]

On Mon, Jun 06, 2016 at 02:06:13PM -0400, Stephen Michel wrote:
> On Mon, Jun 6, 2016 at 12:11 PM, Michael Siepmann wrote:
> >On 06/04/2016 06:56 AM, Stephen Michel wrote:
> >>
> >> On June 4, 2016 5:21:31 AM EDT, mray wrote:
> >>>
> >>> On 04.06.2016 08:35, Karl Ove Hufthammer wrote:
>  Bryan Richter skreiv 04. juni 2016 03:47:
> > There are two situations where I'm not sure what the best
> >action is.
>  IMO, the best solution (in both cases) is to *not* reveal that
>  the use has (or hasn’t) an account. If I’m trying to be
>  anonymous, i don’t want people to be able to find out whether I
>  have an account at Snowdrift.coop. And if the user tries to
>  create an account that already exists, *do* supply a ‘reset
>  password’ link in the e-mail that is sent (but don’t
>  automatically reset the password).
> 
>  See also http://security.stackexchange.com/a/90354
> 
> >>> +1
> >> Another +1.
> >>
> >> I think the email text should go along the lines of:
> >>
> >> Hi, someone tried to create an account with this email address,
> >>but you already have a snowdrift.coop account.
> >>
> >> If this was not you, no action is required. Your account is
> >>safe and no personal information has been revealed.
> >>
> >> If this was you, would you like to [log in]() or [reset your
> >>password]()?
> >>
> >> 
> >>
> >> The reset password and create account processes should really
> >>each be tracked in user story. I won't be around until later in
> >>the day but when I am, I will copy this discussion to taiga, in an
> >>existing US if I can find one.
> >+1 but I think there should be two different email texts, depending
> >on whether the action that triggered it was an attempt to create
> >and account or to reset a password.
> 
> +1, that was specifically for the create account case. Perhaps the
> reset password could go like this:
> 
> Hi, someone requested a link to reset your account password.
> 
> If this was you, you may follow [this link]() to reset your
> password. It will expire in X minutes.
> 
> If this was not you, no action is required. Your account is safe and
> no personal information has been revealed. If this has happened
> before recently or you believe someone is trying to gain
> unauthorized access to your account, do [XYZ].
> ---
> I'm not sure about whether I want to drop that last sentence or not.

Thanks for all the suggestions, folks. This confirms my own opinion on
the matter. :)


signature.asc
Description: Digital signature
___
Discuss mailing list
Discuss@lists.snowdrift.coop
https://lists.snowdrift.coop/mailman/listinfo/discuss

Re: [Snowdrift-discuss] UX questions for password reset

[Stephen Michel]

On Mon, Jun 6, 2016 at 12:11 PM, Michael Siepmann 
 wrote:

On 06/04/2016 06:56 AM, Stephen Michel wrote:


 On June 4, 2016 5:21:31 AM EDT, mray  wrote:


 On 04.06.2016 08:35, Karl Ove Hufthammer wrote:

 Bryan Richter skreiv 04. juni 2016 03:47:
 There are two situations where I'm not sure what the best action 
is.

 IMO, the best solution (in both cases) is to *not* reveal that the

 use
 has (or hasn’t) an account. If I’m trying to be anonymous, i 
don’t

 want

 people to be able to find out whether I have an account at
 Snowdrift.coop. And if the user tries to create an account that

 already
 exists, *do* supply a ‘reset password’ link in the e-mail 
that is

 sent

 (but don’t automatically reset the password).

 See also http://security.stackexchange.com/a/90354


 +1

 Another +1.

 I think the email text should go along the lines of:

 Hi, someone tried to create an account with this email address, but 
you already have a snowdrift.coop account.


 If this was not you, no action is required. Your account is safe 
and no personal information has been revealed.


 If this was you, would you like to [log in]() or [reset your 
password]()?


 

 The reset password and create account processes should really each 
be tracked in user story. I won't be around until later in the day 
but when I am, I will copy this discussion to taiga, in an existing 
US if I can find one.

+1 but I think there should be two different email texts, depending on
whether the action that triggered it was an attempt to create and
account or to reset a password.


+1, that was specifically for the create account case. Perhaps the 
reset password could go like this:


Hi, someone requested a link to reset your account password.

If this was you, you may follow [this link]() to reset your password. 
It will expire in X minutes.


If this was not you, no action is required. Your account is safe and no 
personal information has been revealed. If this has happened before 
recently or you believe someone is trying to gain unauthorized access 
to your account, do [XYZ].

---
I'm not sure about whether I want to drop that last sentence or not.

___
Discuss mailing list
Discuss@lists.snowdrift.coop
https://lists.snowdrift.coop/mailman/listinfo/discuss

Re: [Snowdrift-discuss] UX questions for password reset

[Michael Siepmann]

On 06/04/2016 06:56 AM, Stephen Michel wrote:
>
> On June 4, 2016 5:21:31 AM EDT, mray  wrote:
>>
>> On 04.06.2016 08:35, Karl Ove Hufthammer wrote:
>>> Bryan Richter skreiv 04. juni 2016 03:47:
 There are two situations where I'm not sure what the best action is.
>>> IMO, the best solution (in both cases) is to *not* reveal that the
>> use
>>> has (or hasn’t) an account. If I’m trying to be anonymous, i don’t
>> want
>>> people to be able to find out whether I have an account at
>>> Snowdrift.coop. And if the user tries to create an account that
>> already
>>> exists, *do* supply a ‘reset password’ link in the e-mail that is
>> sent
>>> (but don’t automatically reset the password).
>>>
>>> See also http://security.stackexchange.com/a/90354
>>>
>> +1
> Another +1.
>
> I think the email text should go along the lines of:
>
> Hi, someone tried to create an account with this email address, but you 
> already have a snowdrift.coop account.
>
> If this was not you, no action is required. Your account is safe and no 
> personal information has been revealed.
>
> If this was you, would you like to [log in]() or [reset your password]()?
>
> 
>
> The reset password and create account processes should really each be tracked 
> in user story. I won't be around until later in the day but when I am, I will 
> copy this discussion to taiga, in an existing US if I can find one.
+1 but I think there should be two different email texts, depending on
whether the action that triggered it was an attempt to create and
account or to reset a password.





signature.asc
Description: OpenPGP digital signature
___
Discuss mailing list
Discuss@lists.snowdrift.coop
https://lists.snowdrift.coop/mailman/listinfo/discuss

Re: [Snowdrift-discuss] UX questions for password reset

[Stephen Michel]

On June 4, 2016 5:21:31 AM EDT, mray  wrote:
>
>
>On 04.06.2016 08:35, Karl Ove Hufthammer wrote:
>> Bryan Richter skreiv 04. juni 2016 03:47:
>>> There are two situations where I'm not sure what the best action is.
>> 
>> IMO, the best solution (in both cases) is to *not* reveal that the
>use
>> has (or hasn’t) an account. If I’m trying to be anonymous, i don’t
>want
>> people to be able to find out whether I have an account at
>> Snowdrift.coop. And if the user tries to create an account that
>already
>> exists, *do* supply a ‘reset password’ link in the e-mail that is
>sent
>> (but don’t automatically reset the password).
>> 
>> See also http://security.stackexchange.com/a/90354
>> 
>
>+1

Another +1.

I think the email text should go along the lines of:

Hi, someone tried to create an account with this email address, but you already 
have a snowdrift.coop account.

If this was not you, no action is required. Your account is safe and no 
personal information has been revealed.

If this was you, would you like to [log in]() or [reset your password]()?



The reset password and create account processes should really each be tracked 
in user story. I won't be around until later in the day but when I am, I will 
copy this discussion to taiga, in an existing US if I can find one.
-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
___
Discuss mailing list
Discuss@lists.snowdrift.coop
https://lists.snowdrift.coop/mailman/listinfo/discuss

Re: [Snowdrift-discuss] UX questions for password reset

[mray]

On 04.06.2016 08:35, Karl Ove Hufthammer wrote:
> Bryan Richter skreiv 04. juni 2016 03:47:
>> There are two situations where I'm not sure what the best action is.
> 
> IMO, the best solution (in both cases) is to *not* reveal that the use
> has (or hasn’t) an account. If I’m trying to be anonymous, i don’t want
> people to be able to find out whether I have an account at
> Snowdrift.coop. And if the user tries to create an account that already
> exists, *do* supply a ‘reset password’ link in the e-mail that is sent
> (but don’t automatically reset the password).
> 
> See also http://security.stackexchange.com/a/90354
> 

+1



signature.asc
Description: OpenPGP digital signature
___
Discuss mailing list
Discuss@lists.snowdrift.coop
https://lists.snowdrift.coop/mailman/listinfo/discuss

Re: [Snowdrift-discuss] UX questions for password reset

[Karl Ove Hufthammer]

Bryan Richter skreiv 04. juni 2016 03:47:

There are two situations where I'm not sure what the best action is.


IMO, the best solution (in both cases) is to *not* reveal that the use 
has (or hasn’t) an account. If I’m trying to be anonymous, i don’t want 
people to be able to find out whether I have an account at 
Snowdrift.coop. And if the user tries to create an account that already 
exists, *do* supply a ‘reset password’ link in the e-mail that is sent 
(but don’t automatically reset the password).


See also http://security.stackexchange.com/a/90354

--
Karl Ove Hufthammer
___
Discuss mailing list
Discuss@lists.snowdrift.coop
https://lists.snowdrift.coop/mailman/listinfo/discuss