3

I read the other password recovery questions on SO and it seems that most people consider sending a password recovery link that can be used only once and expires after a couple of days to be most secure.

Now my question, (I know it is subjective, but I am looking for input that you may have received from your users)

Is this also decently comfortable for users? and by users I mean your grandmother not you co-worker.

Sruly
  • 10,200
  • 6
  • 34
  • 39
  • 1
    How should we know if it's comfortable for your users? You've probably gone through this procedure yourself a few times. Did *you* find it usable enough? – MvanGeest Aug 03 '10 at 13:53
  • Most of "your grandmothers" have trouble with email in general. If you assume a certain (low) level of computer literacy, yes, that is quite comfortable. And now, the relation to programming...? – Amadan Aug 03 '10 at 13:53
  • 1
    Grandmothers would prefer you to snail-mail them a reset pin. – Nix Aug 03 '10 at 13:56
  • 1
    @Amadan This is user interaction design, which in my opinion, is strongly related to programming. – Johan Aug 03 '10 at 13:58
  • @amadan sorry, you are right this isnt really a programming question. I planned to ask how to implement some of the options but I found answers on SO before I sent the question so the only part left was the subjective part. I guess I should have asked this somewhere else, perhaps the webmasters stackexchange site. – Sruly Aug 03 '10 at 14:00
  • 1
    The grandmothers I know would want the password-reset to conference-call one of their grandsons. It should also restart the remote access software on grandma's PC. ;) – Brock Adams Aug 03 '10 at 14:23
  • If someone doesn't know their password, then you don't need to tell it to them. Just let them change it with an email like everyone else. – rook Aug 03 '10 at 16:02

5 Answers5

2

As a user, I like when I can pick a new password of my choice, then have an activation mail sent to me, providing a clickable link for the new password to take effect.

I do not like when a new one time password is sent to me, having me to log in and edit it in my profile.

Best of all, though, is to have OpenID login, so I don't have to keep any password at all.

Johan
  • 5,003
  • 3
  • 36
  • 50
  • Apart from your OpenID login password ;) I realise you can check the "Keep me logged in" option but the password is still there. – Lazarus Aug 03 '10 at 13:58
  • @Lazarus My OpenID provider let me authenticate using client certificate, so I don't need a password for my login. That is, however, a bit offtopic. :) – Johan Aug 03 '10 at 14:01
  • you are right about the OpenID but most avg everyday users dont have an OpenID (that they know of) yet. – Sruly Aug 03 '10 at 14:03
1

What can be simpler than clicking an activation link and entering a new password?

codymanix
  • 28,510
  • 21
  • 92
  • 151
0

What is the focus of your site when it comes to access control, usability or security?

If it's usability then perhaps storing passwords in plain text and allowing them to be sent to the registered email address upon request is sufficient and potentially more usable than the more secure alternative.

If security is the answer then trapdoor encoding and password reset is the better option.

Lazarus
  • 41,906
  • 4
  • 43
  • 54
  • My mom once forgot the password for her webmail account. They provided a form where she was to fill in quite alot of personal details in order to have her password received. She filled in the correct data for herself, and after a manual review, she got a postal letter with her password. At least that was what she taught, til she realized that it was not her account. She had another username. Something must have gone badly wrong in the manual review. :) – Johan Aug 03 '10 at 14:07
  • That's always a risk but the "email my password" approach does at least rely on the stored default email address associated with the user account, so your Mom wouldn't have received the password as she wouldn't have entered another address (postal or email) at which to receive the password. – Lazarus Aug 03 '10 at 14:10
0

Based on experience, I'd recommend the following:

  1. The user fills in a "forgotten password" form which sends them an email.
  2. The email contains (at least) a password reset link.
  3. If they click on the link they're sent a new randomly generated password. (Mix of upper/lower alpha and numeric minus 0, o, 1, i, etc. for the sake of clarity.)

Whilst this might not be ideal from a pure usability perspective (in an ideal world you wouldn't have to have a password in the first place, let's face it), it does however attempt to ensure that you're carrying out a legitimate password reset.

Alternatively (or indeed in conjunction with the above), you could allow the user to store a simple password reminder text string that's also present in the first outbound email. (If they realise what the password is at this stage they can simply enter it rather than having to perform a reset.) I wouldn't however recommend outputting this on the web site itself, as it's liable to be too strong a clue.

John Parker
  • 54,048
  • 11
  • 129
  • 129
0

From a usability perspective? If a login fails three times in a row, assume they have legitimately forgotten their password, let them in anyway and prompt for changing the password.

One of the best systems I've seen for low-security accounts, is to mail a link. No need for the user to remember site URL, username or password. The site doesn't get to know about any weaknesses the user has in managing passwords.

Tom Hawtin - tackline
  • 145,806
  • 30
  • 211
  • 305