Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#1866 closed improve feature (fixed)

Add username reminder to new password emails

Reported by: abyssin Owned by: shevek
Priority: critical Milestone: 1.3
Component: unknown Keywords: username password login forgotten
Cc: leeuwerck@…

Description

Many users contact the Support Team asking for their username because they forgot it. The new password message should include the username.

And what about a slightly different login system, allowing either username or email address to be used?

Change History (10)

comment:1 Changed 6 years ago by abyssin

  • Priority changed from major to critical

The Support Teams received many messages recently from people asking what their username is. Probably more are facing the same issue everyday.

Last edited 6 years ago by abyssin (previous) (diff)

comment:2 Changed 6 years ago by shevek

I believe that the omission of the username was intented as a security feature.

But as an attack vector would either include having access to the mail account or the network traffic it probably isn't really one that we need to bother about.

A fix is ready (ugly). If criticality is that high I'd push it to 1.3.

comment:3 Changed 6 years ago by shevek

  • Owner set to shevek
  • Status changed from new to accepted

comment:4 Changed 6 years ago by shevek

Commit: https://gitorious.org/bewelcome/rox/commit/b41ed9ce9bf7c622499414516189c915442031ac

Mail looks like this now (in English):

"Hello, here is your new password to login to the BeWelcome Site: zP5Za7Nt

We recommend that you login immediately and change your password to something that you will be able to remember.

If you received this email without asking for your password to be changed, please let us know through our feedback page.

Username: Hopf1194 Greetings from the volunteers"

Without changing the word codes we don't get anything better. This should be done with #1860 (adding a link there).

comment:5 Changed 6 years ago by shevek

  • Milestone changed from unassigned to 1.3

comment:6 Changed 6 years ago by jsfan

Deployed on alpha.

comment:7 Changed 6 years ago by shevek

Just had my password reset. Mail contained my username as expected.

(Alpha throws a lot of deprecated message regarding split in swift mailer.)

comment:8 Changed 6 years ago by shevek

  • Resolution set to fixed
  • Status changed from accepted to closed

Someone nice reset my password tonight while I slept. The mail contained my username.

So closing as obviously working (and not being selftested by myself ;-))

comment:9 Changed 6 years ago by crumbking

Sorry it was me. Might be worth to think of a 2steps password recovery. Otherwise it's easy to abuse the system.

comment:10 Changed 6 years ago by shevek

#1860 should take care of that. And I was just surprised.

Note: See TracTickets for help on using tickets.