Password reset
-
@pjh someone requested a password reset for me, and it wasn't me. I'm leaving that filed under bug.
-
In progress here as well:
http://what.thedailywtf.com/t/hey-you-know-the-difference-between-the-old-forums-and-these/2214/
-
@pjh someone requested a password reset for me, and it wasn't me. I'm leaving that filed under bug.
I can request another one for you if you want.
-
I know you can, see my post in the other thread. I don't think there are limits either.
-
I'm leaving that filed under bug.
Why? What's the bug? Sounds like it's operating as it should.
-
By the way, I did not notice before, but the password reset form is only requiring a username, instead of the somewhat standard practice of using the email address (or both the username and email address). That makes sending spurious password resets a bit too easy IMO.
-
It works too well, doesn't fit with the rest of discourse. See other thread for how many people wanted a reset today.
-
Email address alone would do seeing as they aren't public knowledge, combined with rate limiting would be fine.
Thinking about it though, I'm pretty sure they don't do it by email because you're allowed more than 1 account to be linked to the same email address. So username and email address would probably be the only option. Username alone makes it too easy to abuse.
-
So Likes are rate-limited but password reset requests aren't?!?!
I've tried to avoid jumping on the I-Hate-Jeff bandwagon...but this is just mind-blowing.
-
Wait, wait, you can have multiple accounts on a single email...? Wut?! I don't even...
Allowing reset requests on an account just from the username is common practice, and you don't get the benefit of it being 'something you have' because usernames are displayed. (Other systems let you have a separate display name instead of username, separate to 'long name')
But no rate limiting? Given that so much other stuff is rate limited, this is genuinely a surprise, but from a usability perspective I'm not sure it's entirely useful to have too low a limit on it.
After all... unless your email account is compromised too, it's just an irritation for the most part. And if your email IS compromised you've probably got bigger problems anyway.
-
By the way, I did not notice before, but the password reset form is only requiring a username, instead of the somewhat standard practice of using the email address (or both the username and email address). That makes sending spurious password resets a bit too easy IMO.
I never actually seen this so called standard practice. But then again, I never forget my password.
-
Using a password reset form to spam another user's email is far more of a problem than spamming Likes on all of a user's posts.
-
Wait, wait, you can have multiple accounts on a single email...? Wut?! I don't even...
What's so wrong about that?
-
I've never seen it before, and it sort of pisses on using email as a piece of private information do log in with, as opposed to a piece of information that is otherwise quite visible.
-
So username and email address would probably be the only option.
It also seems like the obvious option, so no wonder it wasn't the one chosen.
Email's probably a thing of the past 10 years into Jeff's future.
-
Email's probably a thing of the past 10 years into Jeff's future.
I recall him blogging about how he preferred twitter to email. It's probably the archetypal bad blog entry of his. No, 'm not going to link it or even look it up.
-
, I'm pretty sure they don't do it by email because you're allowed more than 1 account to be linked to the same email address
LOLWUT? =-o
So which user gets logged in if you put the email in, or use, e.g., gmail to log in?
-
You are prompted to select a username from a list, you know - like how google says 'I have 2 accounts for you, which do you want to use'
That doesn't seem like a hard design to me.
I personally like being able to associate multiple names to a single email - basically I want a display name, a user name (account private name) and an email i can associate with the account.
-
I just used myname+userid@gmail.com - didn't even occur to me that you could associate multiple id's to the same email.
-
At least it's not a system that resets your password upon the initial request. Those are The Worst™.
-
Did you guys know if you hold down enter on the forgot password form it basically does infinite password reset requests? It never clears the form or closes it.
-
- report this bug to meta.d
- be told it's not a priority
- reproduce the bug on all the staff accounts
- all of a sudden it's a high priority
5. ...
6. Profit
-
Wait, wait, you can have multiple accounts on a single email...? Wut?! I don't even...
No you're not... at least I wasn't...............
Nothing beats run-on error messages either...
Guess I must have been doing it wrong when it told me the email was already in use.
-
#ALL THE ERROR MESSAGES!!!!!
this is why you don't hide them dynamically
-
I've never seen it before
LiveJournal does this. It's great for roleplayers who make separate "in-character" journals for each character they play. There's a meme out there someplace where you put your email into the in "forgot my username" box and report how many emails you receive >.>
-
Has anyone done this yet?
-
I had a PM with Sam who said he has implemented rate limiting, which I believe has been implemented here.