Reputation: 10540
What's the best way to implement password recovery from a usability perspective?
I read the other password recovery questions on SO and it seems that most people consider sending a password recovery link that can be used only once and expires after a couple of days to be most secure.
Now my question, (I know it is subjective, but I am looking for input that you may have received from your users)
Is this also decently comfortable for users? and by users I mean your grandmother not you co-worker.
Upvotes: 3
Views: 840
Answers (5)
Reputation: 29468
What can be simpler than clicking an activation link and entering a new password?
Upvotes: 1
Reputation: 147164
From a usability perspective? If a login fails three times in a row, assume they have legitimately forgotten their password, let them in anyway and prompt for changing the password.
One of the best systems I've seen for low-security accounts, is to mail a link. No need for the user to remember site URL, username or password. The site doesn't get to know about any weaknesses the user has in managing passwords.
Upvotes: 0
Reputation: 54445
Based on experience, I'd recommend the following:
- The user fills in a "forgotten password" form which sends them an email.
- The email contains (at least) a password reset link.
- If they click on the link they're sent a new randomly generated password. (Mix of upper/lower alpha and numeric minus 0, o, 1, i, etc. for the sake of clarity.)
Whilst this might not be ideal from a pure usability perspective (in an ideal world you wouldn't have to have a password in the first place, let's face it), it does however attempt to ensure that you're carrying out a legitimate password reset.
Alternatively (or indeed in conjunction with the above), you could allow the user to store a simple password reminder text string that's also present in the first outbound email. (If they realise what the password is at this stage they can simply enter it rather than having to perform a reset.) I wouldn't however recommend outputting this on the web site itself, as it's liable to be too strong a clue.
Upvotes: 0
Reputation: 43074
What is the focus of your site when it comes to access control, usability or security?
If it's usability then perhaps storing passwords in plain text and allowing them to be sent to the registered email address upon request is sufficient and potentially more usable than the more secure alternative.
If security is the answer then trapdoor encoding and password reset is the better option.
Upvotes: 0
Reputation: 5053
As a user, I like when I can pick a new password of my choice, then have an activation mail sent to me, providing a clickable link for the new password to take effect.
I do not like when a new one time password is sent to me, having me to log in and edit it in my profile.
Best of all, though, is to have OpenID login, so I don't have to keep any password at all.
Upvotes: 2
Related Questions
- Forgot Password: what is the best method of implementing a forgot password function?
- How to implement a password recovery link in ASP.NET?
- Implement password recovery best practice
- Good password recovery methods
- Best practice for resetting forgotten user passwords
- what is the best practice for forgot password process?
- Forgot Password Patterns or techniques? ¿pattern names?
- Secure way to do password retrieval/resetting?
- How would a secure "lost password" feature work?
- What is a secure and efficient method for website users to reset their password?