Ticket #31 (closed clarification: fixed)

Opened 6 years ago

Last modified 5 years ago

Password recovery mechanism needs to be defined.

Reported by: amit Assigned to: rich
Priority: high Milestone:
Component: feature-clarification Version:
Keywords: password recovery Cc: amit
Blocking: Blocked By:

Description

Given the majority of calls to IT are related to lost password and recovery, we need to identify what mechanisms we are going to use to allow end-users to change/recover their passwords.

Dependency Graph

Change History

05/02/06 10:36:56 changed by rich

  • status changed from new to assigned.

05/11/06 12:51:14 changed by amit

  • milestone changed from dodo to newton.

We have a little time before this needs to be figured out.

05/18/06 14:28:33 changed by amit

  • milestone changed from newton to topaz_newton.

Moved to Topaz milestone.

08/15/06 15:51:58 changed by amit

  • milestone changed from TBD to august25.

Need a resolution as this will affect PLoS administrative side of things.

08/22/06 10:16:21 changed by rich

There are two popular ways for password recovery:
1. Secret Question
2. Email Send

I'm not tied to either recovery method. Secret questions can be cracked, people can have their email accounts hacked and new password emails are lost to spam filters. I've outlined both but would like feedback on ease of implementation.

Secret Question

Registration requires a secret question/answer. The user has to enter their username and answer a secret question to generate a new password.

One screen with the forms Forgot your password and Forgot your username with appropriate fields.

1. Forgot your password?
Enter your PLoS ONE username.
Next screen:
a) Enter secret question (do we have this information?) to display new password
- or -
b) email new password

Success a) new password displayed with link to sign in. Once the user signs in with the new password, they should be automatically taken to a "change password" screen.

Success b) new password is emailed to user with sign in link. Once the user signs in with the new password, they should be automatically taken to a "change password" screen.

2. Forgot your username?
Enter the email address you provided at registration.
Success: "The username information has been sent to your email address." The email sent to user: "You can request a new password for your account by going to the Forgot Password screen. http://www.plosone.org/iforgot/"

Email Send

1. Request new password
2. Receive confirm that you want your password reset email
3. Receive here's your new temporary password email
4. Login and force password change

Since email can be lost to spam filters, we'll need to advise people to add the sending email to their whitelists.

Dumb wiki markup is broken for lists

08/22/06 11:59:17 changed by stevec

  • status changed from assigned to closed.
  • resolution set to fixed.

I thought we had already agreed on an email recovery scheme. It is already implemented by sending a unique URL (generated with token) which they can click on and then it will prompt the user to type in their password twice.

10/29/07 21:12:47 changed by

  • milestone deleted.

Milestone august25 deleted