2015-08-29, 11:45 PM
Suggestion concerning this thread inquiring if there are issues with the password reset function.
As I explained in my response to the thread referenced above, it is easy for members to get confused when requesting a password reset. This is not because the MyBB instructions are written poorly, but because a large number of the population simply skips over instruction text. This is especially compounded in the case of the MyBB password reset requests because of the way users interact with the reset steps.
A nice fix to this issue would be to limit password reset requests to once every 24 hours. However, make it so that the new password email can be resent when a user attempts another reset request.
When a user attempts another request, I would have a simple message that states a request was already made and ask the user if they received the activation email. Users would be forced to answer "yes" or "no" and are then instructed appropriately.
If "yes", alert the user to the fact that a second email with their new password was sent. If they did not receive two emails, then to wait a few minutes and check their box again. If they did not receive the password email, they can request for it to be sent again. - Just to be clear, the request is not for another password reset, but for the new password to be sent again. (The reason for this will be apparent if you read my response to the linked thread above.)
If "no", instructions such as checking a spam folder or verifying the account in some other way would be useful here.
I realize that this is not something pressing given the fact that it is not a bug or due to poorly written instructions. Unfortunately, a certain % of the population simply do not follow instructions (or read them). This ultimately wastes the time of developers, admins, moderators, etc.
It starts out with a plethora of "help me I can't access my account" emails and the lot of us start searching for non-existent bugs as we try to recreate what the user is experiencing. When we can not recreate the issue, we realize that the member simply did not read the three or four sentences that could have saved them a lot of frustration and us valuable time. The next time we get a plea for help, we know what to ask and 99% of the time it is said problem above, but it is still wasted time.
Consider this 8 page discussion ...
At least with what I am suggesting, simple issues like trying to use the activation code as the password and not checking spam folders would weed out 90% of the "help me please" emails. It could also provide some great trouble shooting stats as well. If stats were collected in such a case, Developers and Admins would gain information on just how many members are having problems - regardless of whether or not they report it or ask for help. This is especially important in the case of new users who may just give up before they become 'attached' to the community - and then leave forever never to return.
As for myself, I will be revising the text/instructions with some extra formatting that draws attention to the 1st and 2nd emails - the 1st as an activation and the 2nd as the actual password, but it would be nice to have the feature that within 24 hours of the first password reset request, only the new password email will be sent and once the account is successfully accessed with that password, it would be really nice if the feature also required the user to change the one that was emailed to a new one.
This way there is no record of anyone's password stuffed in the email logs - a potential security risk for those who use whatever password is automatically issued to their account (yes, there are people who keep the same password that is generated for their accounts; these are the individuals who have a little notebook by the computer with a list of passwords neatly written down for easy access.
Regardless of whether or not a user is protective of his or her password, it is not wise to allow generated passwords to be kept permanently. This way the potential damage and breach of security has been minimized in the unfortunate event that the server is hacked and those logs are accessed.
As I explained in my response to the thread referenced above, it is easy for members to get confused when requesting a password reset. This is not because the MyBB instructions are written poorly, but because a large number of the population simply skips over instruction text. This is especially compounded in the case of the MyBB password reset requests because of the way users interact with the reset steps.
A nice fix to this issue would be to limit password reset requests to once every 24 hours. However, make it so that the new password email can be resent when a user attempts another reset request.
When a user attempts another request, I would have a simple message that states a request was already made and ask the user if they received the activation email. Users would be forced to answer "yes" or "no" and are then instructed appropriately.
If "yes", alert the user to the fact that a second email with their new password was sent. If they did not receive two emails, then to wait a few minutes and check their box again. If they did not receive the password email, they can request for it to be sent again. - Just to be clear, the request is not for another password reset, but for the new password to be sent again. (The reason for this will be apparent if you read my response to the linked thread above.)
If "no", instructions such as checking a spam folder or verifying the account in some other way would be useful here.
I realize that this is not something pressing given the fact that it is not a bug or due to poorly written instructions. Unfortunately, a certain % of the population simply do not follow instructions (or read them). This ultimately wastes the time of developers, admins, moderators, etc.
It starts out with a plethora of "help me I can't access my account" emails and the lot of us start searching for non-existent bugs as we try to recreate what the user is experiencing. When we can not recreate the issue, we realize that the member simply did not read the three or four sentences that could have saved them a lot of frustration and us valuable time. The next time we get a plea for help, we know what to ask and 99% of the time it is said problem above, but it is still wasted time.
Consider this 8 page discussion ...
At least with what I am suggesting, simple issues like trying to use the activation code as the password and not checking spam folders would weed out 90% of the "help me please" emails. It could also provide some great trouble shooting stats as well. If stats were collected in such a case, Developers and Admins would gain information on just how many members are having problems - regardless of whether or not they report it or ask for help. This is especially important in the case of new users who may just give up before they become 'attached' to the community - and then leave forever never to return.
As for myself, I will be revising the text/instructions with some extra formatting that draws attention to the 1st and 2nd emails - the 1st as an activation and the 2nd as the actual password, but it would be nice to have the feature that within 24 hours of the first password reset request, only the new password email will be sent and once the account is successfully accessed with that password, it would be really nice if the feature also required the user to change the one that was emailed to a new one.
This way there is no record of anyone's password stuffed in the email logs - a potential security risk for those who use whatever password is automatically issued to their account (yes, there are people who keep the same password that is generated for their accounts; these are the individuals who have a little notebook by the computer with a list of passwords neatly written down for easy access.
Regardless of whether or not a user is protective of his or her password, it is not wise to allow generated passwords to be kept permanently. This way the potential damage and breach of security has been minimized in the unfortunate event that the server is hacked and those logs are accessed.