You are not logged in.
- Topics: Active | Unanswered
#1 2009-07-05 19:22:13
- onthenickel
- Member
- From: Earth
- Registered: 2009-06-20
- Posts: 14
bug in password reset for the BBS
Hello,
I discovered that there is what you might call an interface bug in the BBS password reset. When you use the "forgot password" form to reset your password, you are sent an e-mail which tells you that your password has been reset, and gives you the new password... It says:
"Your new password is: 1nfD540"
Most users will understand this language to mean that their password has been changed to this value. In fact, this is not correct. This is NOT your password... not yet...
The change-password e-mail goes on to say:
"To change your password, please visit the following page:
http://bbs.archlinux.org/profile.pho?id=26645&action=change_pass&key=5ffiFdE3"
Your password is not set to the provided new value (e.g. 1nfD540) until you click on the provided link.
If you look at the meaning of "to change your password..." then it is possible that the user will NOT click on the provided link, because it seems as if clicking on this link will CHANGE their password. If my password is already the provided value of 1nfD540, then why do I want to click on the link to change it again? The e-mail tells me that I ALREADY changed it! You see what I mean... I have no reason to click the link.
Because of a combination of my being confused by the imprecise language of this e-mail, and also because of my not paying careful attention to the ENTIRE e-mail, I actually reset my password THREE times in a row, then I composed my own e-mail to simo a%t archlinux.org asking for help... Not until I was proof-reading my e-mail to simo did I notice the inconsistency in the "password reset" e-mail and did I experiment to see what happens when I click on the provided link...
Many users will abandon their old account and create a new account when they are unable to reset their password.
To fix this, I propose that the language should be changed from
"Your new password is: 1nfD540"
to
"After you click on the below link, your new password will be: 1nfD540"
I hope this helps!
Thanks,
-Elliot
Offline
#2 2009-07-05 22:40:16
- tomk
- Forum Fellow
- From: Ireland
- Registered: 2004-07-21
- Posts: 9,839
Re: bug in password reset for the BBS
Post a bug report under the 'Website' category.
Offline
#3 2009-07-10 01:06:45
- onthenickel
- Member
- From: Earth
- Registered: 2009-06-20
- Posts: 14
Re: bug in password reset for the BBS
thanks for the tip -- I didn't know about the bug reporting. I reported it here:
http://bugs.archlinux.org/task/15468
Offline