Resetting a password on the internet varies greatly. I hate most of the methods. And, many leave a lot of security holes (e.g., plain text emails). There should be more work to standardize this process and perhaps OAuth or OpenID people will make this happen. Until then, we’ll have to deal with many bad workflows with a few good ones. By the way, I think eBay’s password or username reset process is probably the most annoying on the web and as a result I don’t use eBay. Maybe if I used eBay more, I wouldn’t have to reset my password every time I want to .
Anyway, I think there are three guiding principles for password reset workflow:
- Secondary Authorization :: a site must always establish a secondary authorization method during the reset process; this means, send an email to you, contact you on the phone, etc.
- Secure Transport of Data :: a sensitive data should be transmitted to you securely; i.e., not through plaintext email with login and password detailed in the email.
- One or Two Click Workflow :: *pet peeve here* once a password is reset, one shouldn’t have to re-enter all the login information to continue where they left off. This should be accomplished in one or two clicks as well.
Here are several password reset methods I see:
Email with Existing Password :: Certain sites seem to think that email is secure and sending passwords in plain-text is copacetic. Well, it’s not. Email is not secure. And, if you want to keep your password secure, one hopes that this will never happen. But, it does. You receive an email with an aptly named “Your Password for BlahBlah.com.” Wow. That’s not hard to parse. Many of these types of emails don’t even include a link in the email back to the login page. Either there is no link at all or just a link to the home page. Quite helpful.
Email with New, Auto-generated Password :: The email with a newly generated password is only slightly better. These sites provide a similar title to the email: “Your Account and Password Reset Request.” This email includes a nice new password that must be copy and pasted into the standard login box. Now, why don’t these companies just include a URL with the password in a string. It’s not like the password in clear text email is any less parse-able than a URL.
Email with Password Reset Link :: Emails with a password reset link are often the best. It establishes authorization with you as an individual via the registered email account. The email subject is typically less descriptive – “Your Request” or “Important Information” or “Service Answer.” These are better than other two email methods discussed. But, typically, it fails to actually take you to a full logged in state. It will walk you through the reset process from a single link – great – but then drops you off in a sessionless or unauthenticated state. This means that you then need to re-type your login and password information to actually access the site. Why don’t these sites just create a session after you’ve reset your password?
On-page Reset Challenge :: Some sites don’t use email as an authentication method. These sites choose to use randomly selected challenges to help you reset your password. These often work well if you can remember what your favorite movie, childhood teacher or street name you once lived. These challenge responses are typically case-sensitive. So, even if you can remember your teacher’s name, maybe you can’t remember if you used her / his full name, salutation (Mr. Ms. Mrs.) or maybe just the last name. This reset method becomes difficult and annoying if you can’t remember exactly what you put in. So, you’re left with calling customer support or simply creating a new account; the latter is the route that I typically take.
On-page SMS, Email or Phone Challenge :: A lot of banking and financial sites allow you to reset your password to your phone, email or via an SMS message. They typically only provide you a token that you can then enter into the website to continue the authentication process. These are typically the most secure and nicest workflow; that is, as long as the challenge method occurs in less than 30 seconds. Otherwise, I get distracted and move on to something else.
Once you’ve recovered or reset your password you shouldn’t have to re-login. You’ve just entered all your details. It was you. A lot of sites are lazy and kick you out of the site without creating a session for you during the reset or recovery process. In my mind, this is the lazy developer way out of this problem. Sure, it’s easier. And, if you’re building a new site, probably okay. But, if you’re on your 20th agile release this should be fixed as it’s a really annoying workflow.