views:

55

answers:

5

I read the other password recovery questions on SO and it seems that most people consider sending a password recovery link that can be used only once and expires after a couple of days to be most secure.

Now my question, (I know it is subjective, but I am looking for input that you may have received from your users)

Is this also decently comfortable for users? and by users I mean your grandmother not you co-worker.

+2  A: 

As a user, I like when I can pick a new password of my choice, then have an activation mail sent to me, providing a clickable link for the new password to take effect.

I do not like when a new one time password is sent to me, having me to log in and edit it in my profile.

Best of all, though, is to have OpenID login, so I don't have to keep any password at all.

Johan
Apart from your OpenID login password ;) I realise you can check the "Keep me logged in" option but the password is still there.
Lazarus
@Lazarus My OpenID provider let me authenticate using client certificate, so I don't need a password for my login. That is, however, a bit offtopic. :)
Johan
you are right about the OpenID but most avg everyday users dont have an OpenID (that they know of) yet.
Sruly
@Johan, cool :)
Lazarus
A: 

What is the focus of your site when it comes to access control, usability or security?

If it's usability then perhaps storing passwords in plain text and allowing them to be sent to the registered email address upon request is sufficient and potentially more usable than the more secure alternative.

If security is the answer then trapdoor encoding and password reset is the better option.

Lazarus
My mom once forgot the password for her webmail account. They provided a form where she was to fill in quite alot of personal details in order to have her password received. She filled in the correct data for herself, and after a manual review, she got a postal letter with her password. At least that was what she taught, til she realized that it was not her account. She had another username. Something must have gone badly wrong in the manual review. :)
Johan
That's always a risk but the "email my password" approach does at least rely on the stored default email address associated with the user account, so your Mom wouldn't have received the password as she wouldn't have entered another address (postal or email) at which to receive the password.
Lazarus
A: 

Based on experience, I'd recommend the following:

  1. The user fills in a "forgotten password" form which sends them an email.
  2. The email contains (at least) a password reset link.
  3. If they click on the link they're sent a new randomly generated password. (Mix of upper/lower alpha and numeric minus 0, o, 1, i, etc. for the sake of clarity.)

Whilst this might not be ideal from a pure usability perspective (in an ideal world you wouldn't have to have a password in the first place, let's face it), it does however attempt to ensure that you're carrying out a legitimate password reset.

Alternatively (or indeed in conjunction with the above), you could allow the user to store a simple password reminder text string that's also present in the first outbound email. (If they realise what the password is at this stage they can simply enter it rather than having to perform a reset.) I wouldn't however recommend outputting this on the web site itself, as it's liable to be too strong a clue.

middaparka
A: 

From a usability perspective? If a login fails three times in a row, assume they have legitimately forgotten their password, let them in anyway and prompt for changing the password.

One of the best systems I've seen for low-security accounts, is to mail a link. No need for the user to remember site URL, username or password. The site doesn't get to know about any weaknesses the user has in managing passwords.

Tom Hawtin - tackline
+1  A: 

What can be simpler than clicking an activation link and entering a new password?

codymanix