Forgot password reset UX is a total cluster #2780
Comments
ara4n
added
the
S-Critical
|
Just been talking to folks about disasters where they lost 30% of a 10,000 userbase due to inability to do a password reset...... |
|
@dbkr can we mitigate this nowadays by using the tokenRequest APIs to do sanity checks before you enter the new PW? |
|
Yeah, I don't see why not. We probably ought to check what auth is acceptable for a password reset (eg. if we want to support pw rest via sms too) but that's fine as we can do a call with no auth first like we do for registering. |
lampholder
modified the milestones:
RW008 - Candidates,
RW009 - Candidates,
Temporary Bug Bin
|
This is still a problem. |
|
A motivated user failed to reset their password ~5 times, it seems due to closing the tab before clicking the button you're meant to click after clicking the link in the email. We really need a password reset flow that works like everybody else's password reset flow - it's the kind of operation people expect to complete on autopilot. |
|
see also #2761 |
|
Here's another one:
|
|
In addressing this issue we should review https://github.com/vector-im/riot-web/labels/type%3Apassword-reset too |
|
see alo matrix-org/synapse#1710 |
|
I've taken the 'burning fire' label off this so that we can queue it up as a roadmap item rather than try and handle it as an urgent production issue. I've added it to the NEXT column of our roadmap |
|
This is also confusing. When trying to get a mail to reset your old unknown password, Riot will promt you for a password.
|
novocaine
added
the
O-Occasional
novocaine
added
the
X-Needs-Info
novocaine
changed the title
|
I am splitting this issue into multiple actionable ones as, while we need to fix stuff, it is not currently actionable and the labels seem off. Assumption: This ticket relates to "forgot password" specifically, not password reset. Issues named in this one:
I'm not sure if this is still relevant but I might misunderstand the meaning. In the current UI you can't reset your password without entering an email - this might have been changed at some point. Need @ara4n to confirm.
This is confusing. On other web sites you enter a new password after verifying your email, not before. Split into element-hq/element-meta#359. |
|
Closing this mega-ticket in favour of the spun out tickets created above. Yell if I have not captured a part of this in those tickets. |
From memory, the problem is that it gives you no indication if the email you provided is remotely valid or known. This might be a privacy measure, but the fact you have no idea which email address it’s asking you for and if you got the right one is still a problem afaik. |
Yep, my understanding is most sites provide no feedback for this to prevent email discovery for privacy reasons but also to stop automated brute-forcers using it as step 1. Happy to create an enhancement ticket if you have any ideas.. |
|
i think it would be good enough to just be explicit to the user that the email may or may not be correct, rather than leaving them guessing on what’s going on (or not) |
|
So we should validate if the email address is in our database or not, and if it isn't, show an error message to the user? |
|
Clarified out of band that we just want a copy change. |
|
Just checked this, and the current behaviour is that we show an error message if the email isn't recognised (at least on matrix.org)
This is triggered by a call to |
it doesn't tell you if you have no email address linked (or warn you sensibly), and it makes you enter your new password before you've confirmed you can do anything at all.
The text was updated successfully, but these errors were encountered: