SitePoint Sponsor

User Tag List

Results 1 to 3 of 3
  1. #1
    SitePoint Member
    Join Date
    Jul 2006
    Location
    Almaty, Kazakhstan
    Posts
    17
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Lightbulb Lost passwords idea

    On my web-site I've noticed that some users are not only forgetting their passwords, but also logins. Some might not have a permanent login, they just using random names for each web-site they register in. At the same time, they use same (usually stupid simple) password everywhere =)

    This idea would be great for web-sites that have a registration system where login is not an email address. In such cases forgetting an email is a very rare issue.

    So, the idea is to do the following. Once user trying to log in and he fails, I **put the login name he entered into a temporary cookie** just in case.

    Then, if user goes to 'Lost password?' section where he is asked to fill in his email address for new password, I do a check. I query a database for the login name associated with this email. And if I get different login from which is **stored in a cookie**, it just cancels the new password generation and asks: "You've probably been trying to login with a wrong username. Perhaps %USERNAME% is your actual login". So now, a person would understood that he was wrong with a username, not a password, and be happy to login. Just in case, we will allow him to send a new password with a click of a button, anyway.

    As further improvements, I would store not only one login trial, but all his login trials in an array. Sometimes they try several variations of login/pass before the go to password renewal.

    I found nothing dangerous in this idea. Logins/usernames are usually things that are clearly displayed on the web-sites, so it is nothing wrong to display them like that.

    Moreover, I see only following cases if someone enters an email into the password renewal form after trying to login with different name:
    1) it is either you are, and you really forgot your login
    2) it is your girlfriend/wife that knows your email, so she's already know your login for sure

  2. #2
    SitePoint Zealot Luke Morton's Avatar
    Join Date
    Jul 2005
    Location
    Essex, England.
    Posts
    125
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    One disadvantage to your idea is that they could enter any old username, then click lost password, enter an e-mail address, and then they will know the username to that e-mail address. THis could be a potential security risk to your users who do not want to identify their username with their e-mail address?
    Luke Morton
    UK Web Explorer| lukemorton.co.uk

  3. #3
    SitePoint Member
    Join Date
    Jul 2006
    Location
    Almaty, Kazakhstan
    Posts
    17
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by Luke Morton View Post
    One disadvantage to your idea is that they could enter any old username, then click lost password, enter an e-mail address, and then they will know the username to that e-mail address. THis could be a potential security risk to your users who do not want to identify their username with their e-mail address?
    You are right about this.

    Maybe a crazy idea to prevent that is to save md5(password) into cookie and add a check for password compliance.

    Anyway, further analyzing my case, I found that many users are doing double registrations when they forget their username. Though unique email address is required for registration they still do not want to restore password (maybe they do, but sometimes emailing takes several minutes and they just don't want to wait) and register with another email. I'm planning to implement the same code for registration form. If user enters an email that is already taken, I check if he tried to login (maybe check for crazy password compliance) and display him his username, instead of registration.


Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •