[RFC] Send Activated Password along with Username

These RFCs were either rejected or have been replaced by an alternative proposal. They will not be included in phpBB.
Post Reply
Alien_Time
Registered User
Posts: 165
Joined: Fri Apr 05, 2013 3:38 am

[RFC] Send Activated Password along with Username

Post by Alien_Time » Mon Nov 11, 2013 6:39 am

Atm when a user is going through the "I forgot my password" step, they receive a password that they need to activate first before they can use it. I get sooo many users emailing me that it doesn't work since they overlook and not see the link in the email that asks them to activate the password. They try to login using the new pwd without activating first and when it doesnt work they keep trying to rest their password. Every time when it fails, they feel its too hard in my website and send me an email complaining it doesnt work. I then have to manually do it for them. My suggestions to make this process simple is:

1) Send them an activated password already so users can simply login using the username and password they receive in their email.

2) Send them the username along with the password so users who have forgotten the username can also use the same process. In this case, they don't need to type in the username and only enter their email address in the new password request page. Right now there is no way to find a forgotten username.

I don't think sending an activated password would be a security issue since the user needs to enter the email address registered to their account that bots can't manipulate. I am surprised to see how many users sends me these emails that the new pwd doesn't work since they don't realize that it needs to be activated before it can work.

User avatar
Master_Cylinder
Registered User
Posts: 361
Joined: Wed Jul 31, 2013 9:54 pm

Re: [RFC] Send Activated Password along with Username

Post by Master_Cylinder » Mon Nov 11, 2013 7:19 am

My users don't seem to have that problem; is there a reason that they're having a hard time with the instructions?
These kids today...
Buy them books, send them to school and what do they do?

They eat the paste. :lol:

nachtelb
Registered User
Posts: 30
Joined: Sun Feb 19, 2006 1:55 pm
Location: Germany
Contact:

Re: [RFC] Send Activated Password along with Username

Post by nachtelb » Mon Nov 11, 2013 7:44 am

+1 for a new process

At the moment your described process is very common in the www with the addition of an activation-link in the email.

A little bit different from this but also very useable is to let the user define a new password directly after the "password missed"-link. The new password now has to be activated by email.

User avatar
Master_Cylinder
Registered User
Posts: 361
Joined: Wed Jul 31, 2013 9:54 pm

Re: [RFC] Send Activated Password along with Username

Post by Master_Cylinder » Mon Nov 11, 2013 7:59 am

I wonder if it's a poor translation problem?

If not, what about sending them a temporary, one time use, secure password that expires fairly quickly and force them to change the password when they use it? Since the email address hasn't changed there's really no sense in reactivating the account like we do when they change the email address...
These kids today...
Buy them books, send them to school and what do they do?

They eat the paste. :lol:

Alien_Time
Registered User
Posts: 165
Joined: Fri Apr 05, 2013 3:38 am

Re: [RFC] Send Activated Password along with Username

Post by Alien_Time » Mon Nov 11, 2013 8:20 am

It's not a translation problem in my board since my board is only in English and 90% of users are aussies who are native English speakers. I find that hard to understand why these users don't read their password activation email properly. The only reason I can think of is maybe these users are hasty and skimming through that email and simply copies and pasting the new password into the login form on my site which is probably opened in a second tab and not reading the email that says clearly that the pwd needs to be activated first. Although I have added this in the FAQ, not many users read these and they expect it to work straight away. Even today I got 2 emails from users saying the new password doesn't work. When I tested it, it works fine so they are just not activating it by following the link. This step might not be necessary since the new password is sent to their email address anyways.

Secondly, phpbb by default doesnt have an option for forgotten username. I have installed a separate small mod for that which removes the username field in i forgot my password page and also send their username in their password activation email. I have noticed that in a few sites, when you request for a new password, they email the password by email that doesn't need to be activated first.

User avatar
EXreaction
Registered User
Posts: 1555
Joined: Sat Sep 10, 2005 2:15 am

Re: [RFC] Send Activated Password along with Username

Post by EXreaction » Mon Nov 11, 2013 5:58 pm

This would be a security vulnerability. If I know your email address (which is extremely easy to find out), I could then continually reset your password and you would never be able to log in to your account unless you are using the absolute latest randomly generated password.

Moving this to rejected as we cannot generate a new password and send it activated for the reason above.

Danielx64
Registered User
Posts: 304
Joined: Mon Feb 08, 2010 3:42 am

Re: [RFC] Send Activated Password along with Username

Post by Danielx64 » Thu Nov 14, 2013 12:55 am

And there are better ways of dealing with the issue of people not reading emails: https://area51.phpbb.com/phpBB/viewtopi ... 17#p258717

Alien_Time
Registered User
Posts: 165
Joined: Fri Apr 05, 2013 3:38 am

Re: [RFC] Send Activated Password along with Username

Post by Alien_Time » Thu Nov 14, 2013 7:03 am

Hi Daniel... That is a v good idea. I have +1 your idea in that topic. It will make it easier from user end as well as maintains the security aspect that EXreaction pointed out. Good thinking man.. :D

Post Reply