It doesn't matter if you do all the error checking in the world, or if you have the most beautiful graphics, if your site or application design isn't usable, it's not going to do well. Get input and advice on usability and user interface issues here.
Just use an email. Oftentimes, users have more than one username they use from site to site (depending on if someone's already registered with their "regular"), so they may forget their username as well.
I think the real issue is the security of where you save the passwords... But, you know.. Don't ask, don't tell.
JellyFish wrote:Or I could combine them all into a "Forgot Something" page and and just have them input an email, then send username and password to that email.
That'd be the best choice. That way, they can always refer to that e-mail if they deleted their confirmation email. And yea, I think nickvd was on to something with the either/or. I say they input whichever one(s) they want, and you work from there, but they're only required to input one of them.
Well, if they can't remember their username, they type in the email address. If they can't remember their email address then they type in there username. But how are they supposed to know which email of theirs to check?
I am working on a forgotten password page too - 2 fields, username and email (to match with database).
I could generate a new random password, email the user, have the new password stored in the database (to the right user).
But i am having trouble logging in with the new password. I am using MD5 encrypting method.
I haven't read this thread in detail, so sorry if this has already come up.
I just want to say that I dislike "lost your password" methods where the user enters their username and/or email address then the password is chnaged to something random and emailed to them. Why? So someone doesn't like a user on a website and knows their username and/or password, they can not only spam the system (slowing it down) but they can annoy the real user by making them grab this new password from their email and change it back everytime.
I much prefer a method where the user enters username and/or password, then a unique link is sent to them which, upon accessed, resets the password (eg. changes it to something random and then presents it to them in the webpage or a further email). If the link in the email is never clicked then the password remains the same as before.
How important is the security of the content behind the login? I ask because on the site I built for my company, I ask for their username (which is their email address) first, then if that is found, I take them to a second page where I ask them their password challenge question and accept their response. If that works, they get an email with a new password sent to their email on file. It also deactivates their account and creates an activation code, so they must present their account activation code after they get in the front door after changing their password.
If they don't remember their password challenge and response pair, they actually have to call and verify their identity over the phone using criteria in their account.