--- Comment #4 from Steven Walling <> ---
(In reply to comment #0)
> When someone gets a password reset email from us these days, it does not
> contain an "if you did not request this password reset, click here to
> cancel".
> This sort of language is becoming pretty standard; Facebook says 
> "Didn't request this change?
> If you didn't request a new password, let us know immediately [LINK]."
> Key to note: the "let us know immediately" doesn't actually have to *do*
> anything; it still reassures people just by existing. (I'm bringing this up
> because one of our outside counsels forwarded me an email and asked "what
> should I do?"; having a link like this would have reassured him.)

Actually I think it's not okay to mislead the user like that. 

If we include a cancel link, it should either:

A) invalidate the temporary password sent 
B) set a flag on the account or otherwise actually report the issue to someone
who can help the user ensure their account is secure

We don't have a cancel link currently because, just like on the actual form, we
don't actually require the user to take action to not reset their password. The
password reset email doesn't actually reset your password, it just provides you
the ability to do so if you want. If you don't want, you can ignore the email
and keep using your old password. 

If users are confused, I would suggest clarifying language that says what they
should do if they don't want to reset their password. Is there something
already in there along these lines?

You are receiving this mail because:
You are the assignee for the bug.
You are on the CC list for the bug.
Wikibugs-l mailing list

Reply via email to