Lost Passwords

rldev

Verified User
Joined
May 26, 2004
Messages
1,003
Since DA is adding the reset password feature in the following release. Would it be possible to write a script that will allow our users at the login screen to request their password be reset and sent to their email address on file?
 
rldev said:
Since DA is adding the reset password feature in the following release. Would it be possible to write a script that will allow our users at the login screen to request their password be reset and sent to their email address on file?
I'm not sure I like this:

Scenario (a)

Your user goes to his login page and requests his password be reset.

He gets an email with his new password at his address on file.

Great.

Scenario (b)

I go to his login page and requests the password be reset.

He gets an email with his new password at his address on file.

Now what happens?

He gets upset because someone else has changed his password on him, so you get a support call.

He gets upset because he thinks his system is insecure since someone else can change his password for him, so he leaves for another vendor.

His default address is the same as his login username so he doesn't get the new password and you get a support call.

How many users will be happy in this latter scenario?

Personally, I kind of like the support call instead.

Jeff
 
Re: Re: Lost Passwords

Hi Jeff,

I'm not sure I understand why scenario b would happen..

jlasman said:
Scenario (b)

I go to his login page and requests the password be reset.

He gets an email with his new password at his address on file.

Now what happens?

He gets upset because someone else has changed his password on him, so you get a support call.

He gets upset because he thinks his system is insecure since someone else can change his password for him, so he leaves for another vendor.

His default address is the same as his login username so he doesn't get the new password and you get a support call.

How many users will be happy in this latter scenario?

Personally, I kind of like the support call instead.

Jeff

I can't see why you'd be changing his password without contact (although you haven't said there WILL be contact) I am assume something has triggered you changing the password.

The email template could quite easily explain that this is a temporary password and they should login to their account asap and change it.

We already have the facility to change the passwords - this just 'formalises it'

Unless I've missed something?

Rob
 
Well the user would have to enter their username and/or email address on file(possibly a cookie
0, so I don't know who else is going to submit this information. This method works for thousands of forums on the Internet and other control panels, why not DA? And remeber it's only an option which does not have to be enforced. But I do understand what you are saying. The problem is not so much the customers calling, it's that some get mad that there is no means to do this without calling. Some people are strange these days, they do not want to use the telephone:)
 
Re: Re: Re: Lost Passwords

Originally posted by matrixx:
I'm not sure I understand why scenario b would happen..
Perhaps maliciously?

Or as a DOS?

Originally posted by rldev:
Some people are strange these days, they do not want to use the telephone
I still think the best way to replace a password is by personal contact. If you could send the old password, then I'd like it (but then I'd probably not like keeping the old password unencrypted).

But if anyone in the world could go to my website and force a password change, then I don't think I'd like it.

Jeff
 
I agree with both of you :) - maybe 2 fields of information would be safer - if either were wrong then the request would not be honoured.

Maybe the username and email address on file? If the two match send it if they don't then it is just nulled or redirected to another screen...

Rob
 
Back
Top