[wp-hackers] On overly-obscure passwords

Mark Waterous lists at watero.us
Thu May 6 05:07:43 UTC 2010


The process is actually a standard convention on the web and is presented as
such to keep people from randomly resetting passwords for accounts that
don't belong to them - if it was a single step process, I could access your
wp-login page and reset your password to my hearts content. I will never get
it for myself this way, but can you imagine the pita it would be if you got
that one jerk who thought it was funny?

That aside, the idea of presenting them with a form to choose a new password
after verifying that they are the account holder is in my opinion a really
good idea. This would completely bypass the need for dumbing down the random
password generator and add a layer of user friendly functionality that I
couldn't see anybody complaining about. +1 for that idea.
-Mark

-----Original Message-----
From: wp-hackers-bounces at lists.automattic.com
[mailto:wp-hackers-bounces at lists.automattic.com] On Behalf Of John
Blackbourn
Sent: Wednesday, May 05, 2010 7:47 PM
To: wp-hackers at lists.automattic.com
Subject: Re: [wp-hackers] On overly-obscure passwords

Maybe it would be worth looking at the password recovery process in
general too. It works, but it's far from ideal (with the two emails
being sent).

At risk of going off-topic slightly, I don't see a reason why the
authorisation link clicked in the first email can't take you to a
screen where, instead of being presented with a message telling you
that another email has been fired off with your new password, you are
instead presented with a screen that allows you to choose a new
password (complete with the password strength meter).
_______________________________________________
wp-hackers mailing list
wp-hackers at lists.automattic.com
http://lists.automattic.com/mailman/listinfo/wp-hackers



More information about the wp-hackers mailing list