May 23rd, 2008 Systems posted by dmerritts View Comments

Password Reset Workflow

Resetting a password on the internet varies greatly. I hate most of the methods. And, many leave a lot of security holes (e.g., plain text emails). There should be more work to standardize this process and perhaps OAuth or OpenID people will make this happen. Until then, we’ll have to deal with many bad workflows with a few good ones. By the way, I think eBay’s password or username reset process is probably the most annoying on the web and as a result I don’t use eBay. Maybe if I used eBay more, I wouldn’t have to reset my password every time I want to :-) .

Anyway, I think there are three guiding principles for password reset workflow:

  1. Secondary Authorization :: a site must always establish a secondary authorization method during the reset process; this means, send an email to you, contact you on the phone, etc.
  2. Secure Transport of Data :: a sensitive data should be transmitted to you securely; i.e., not through plaintext email with login and password detailed in the email.
  3. One or Two Click Workflow :: *pet peeve here* once a password is reset, one shouldn’t have to re-enter all the login information to continue where they left off. This should be accomplished in one or two clicks as well.

Here are several password reset methods I see:

Email with Existing Password :: Certain sites seem to think that email is secure and sending passwords in plain-text is copacetic. Well, it’s not. Email is not secure. And, if you want to keep your password secure, one hopes that this will never happen. But, it does. You receive an email with an aptly named “Your Password for BlahBlah.com.” Wow. That’s not hard to parse. Many of these types of emails don’t even include a link in the email back to the login page. Either there is no link at all or just a link to the home page. Quite helpful.

Email with New, Auto-generated Password :: The email with a newly generated password is only slightly better. These sites provide a similar title to the email: “Your Account and Password Reset Request.” This email includes a nice new password that must be copy and pasted into the standard login box. Now, why don’t these companies just include a URL with the password in a string. It’s not like the password in clear text email is any less parse-able than a URL.

Email with Password Reset Link :: Emails with a password reset link are often the best. It establishes authorization with you as an individual via the registered email account. The email subject is typically less descriptive – “Your Request” or “Important Information” or “Service Answer.” These are better than other two email methods discussed. But, typically, it fails to actually take you to a full logged in state. It will walk you through the reset process from a single link – great – but then drops you off in a sessionless or unauthenticated state. This means that you then need to re-type your login and password information to actually access the site. Why don’t these sites just create a session after you’ve reset your password?

On-page Reset Challenge :: Some sites don’t use email as an authentication method. These sites choose to use randomly selected challenges to help you reset your password. These often work well if you can remember what your favorite movie, childhood teacher or street name you once lived. These challenge responses are typically case-sensitive. So, even if you can remember your teacher’s name, maybe you can’t remember if you used her / his full name, salutation (Mr. Ms. Mrs.) or maybe just the last name. This reset method becomes difficult and annoying if you can’t remember exactly what you put in. So, you’re left with calling customer support or simply creating a new account; the latter is the route that I typically take.

On-page SMS, Email or Phone Challenge :: A lot of banking and financial sites allow you to reset your password to your phone, email or via an SMS message. They typically only provide you a token that you can then enter into the website to continue the authentication process. These are typically the most secure and nicest workflow; that is, as long as the challenge method occurs in less than 30 seconds. Otherwise, I get distracted and move on to something else.

Once you’ve recovered or reset your password you shouldn’t have to re-login. You’ve just entered all your details. It was you. A lot of sites are lazy and kick you out of the site without creating a session for you during the reset or recovery process. In my mind, this is the lazy developer way out of this problem. Sure, it’s easier. And, if you’re building a new site, probably okay. But, if you’re on your 20th agile release this should be fixed as it’s a really annoying workflow.

http://blog.danmerritts.com/wp-content/plugins/sociofluid/images/digg_48.png http://blog.danmerritts.com/wp-content/plugins/sociofluid/images/reddit_48.png http://blog.danmerritts.com/wp-content/plugins/sociofluid/images/stumbleupon_48.png http://blog.danmerritts.com/wp-content/plugins/sociofluid/images/delicious_48.png http://blog.danmerritts.com/wp-content/plugins/sociofluid/images/facebook_48.png
  • Anonymous

    Excellent article and easy to understand explanation. How do I go about getting permission to post part of the article in my upcoming news letter? Giving proper credit to you the author and link to the site would not be a problem.

  • Anonymous

    Well … all I can say is, wow. This is an impressive collection of resources, thank you for taking the time to put everything together.

  • Anonymous

    I am happy to find so many useful information here in the post, we need develop more strategies in this regard, thanks for sharing. . . . . .

  • Anonymous

    It is simple to see that you are very informed about your writing. Looking forward to future posts.Thank you.

  • Anonymous

    Wow – this is the best article i’ve read in ages!

  • Anonymous

    Thank you for creating this web site! I am so happy to be able to watch the progress of this restoration. I am filled with admiration for what you are doing! Best of luck with your work.

  • Anonymous

    Thank you for creating this web site! I am so happy to be able to watch the progress of this restoration. I am filled with admiration for what you are doing! Best of luck with your work.

  • Anonymous

    It was really inspiring I loved it, thanks a ton to bring me back and more closer to my real self and my family.

  • Anonymous

    That was a awesome read,You discover something new every day.

  • Anonymous

    Thank you for developing this website. The stories here are worth reading many times over in order to refresh us time and time again to do good and positive things and inspire or influence others to do the same.

  • Anonymous

    Interesting…and I agree with all of it. Keep up the excellent work…I will undoubtedly be back soon

  • Anonymous

    I read your blog just now.You blog is very useful to me.I bookmark your blog!:D

  • Anonymous

    This is a really nice blog you got here. The theme is great! Color combination is awesome.

  • Anonymous

    Good luck getting people behind this one. Though you make some VERY fascinating points, youre going to have to do more than bring up a few things that may be different than what weve already heard. What are trying to say here? What do you want us to think? It seems like you cant really get behind a unique thought. Anyway, thats just my opinion.

  • Anonymous

    Comfortabl y, the article is in reality the greatest on this noteworthy topic. I concur with your conclusions and will thirstily look forward to your upcoming updates. Saying thanks will not just be enough, for the extraordinary lucidity in your writing. I will immediately grab your rss feed to stay privy of any updates. Genuine work and much success in your business efforts!

  • Anonymous

    I read your blog just now.You blog is very useful to me.I bookmark your blog!:D

  • Anonymous

    I dont know what to say. It is undoubtedly one of many superior blogs Ive understand. Youre so insightful, have much genuine stuff to bring towards table. I wish that far more persons study this and get what I got from it: chills. Good career and fantastic blog. I cant wait to study more, retain them comin!

  • Anonymous

    Awesome post Jeff! You guys are doing awesome work!

  • Anonymous

    I just cant stop reading this. Its so cool, so full of information that I just didnt know. Im glad to see that people are actually writing about this issue in such a smart way, showing us all different sides to it. Youre a great blogger. Please keep it up. I cant wait to read whats next.

blog comments powered by Disqus