Forgot Your Password?

It doesn't matter if you do all the error checking in the world, or if you have the most beautiful graphics, if your site or application design isn't usable, it's not going to do well. Get input and advice on usability and user interface issues here.

Moderator: General Moderators

Post Reply
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Forgot Your Password?

Post by JellyFish »

I'm working on a forgotten password page. But I can't decide of which I should have:

Two fields, one being the username and the other being the email to which I match with the email in the database.

One field, just the username which is used to find the users info in the db and sends password to that email.

Which should I use? There pretty much the same but it just seems like I should make it right.

And if you have any other solutions to a forgotten password page then please suggest. :D

Thanks for reading. I appreciate your comments on this.
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

Just use an email. Oftentimes, users have more than one username they use from site to site (depending on if someone's already registered with their "regular"), so they may forget their username as well.

I think the real issue is the security of where you save the passwords... But, you know.. Don't ask, don't tell. :lol:
nickvd
DevNet Resident
Posts: 1027
Joined: Thu Mar 10, 2005 5:27 pm
Location: Southern Ontario
Contact:

Post by nickvd »

Do both...

I may forget the username I used on your site, or I may forget what email address I used to sign up...
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

This is just for forgetting the password.

I'll have a forgot your password and username.

When they've forgotten their username, I 'll have them input there email, what else could I do? :roll:

When they've forgotten their password, I'll have them input there username and maybe there email(which is why I'm posting a question).

Or I could combine them all into a "Forgot Something" page and and just have them input an email, then send username and password to that email.

Please help me with this one. What do you guys usually do? What of the above to you believe to be most plausible?
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

JellyFish wrote:Or I could combine them all into a "Forgot Something" page and and just have them input an email, then send username and password to that email.
That'd be the best choice. That way, they can always refer to that e-mail if they deleted their confirmation email. And yea, I think nickvd was on to something with the either/or. I say they input whichever one(s) they want, and you work from there, but they're only required to input one of them.
User avatar
JellyFish
DevNet Resident
Posts: 1361
Joined: Tue Feb 14, 2006 7:18 pm
Location: San Diego, CA

Post by JellyFish »

Well, if they can't remember their username, they type in the email address. If they can't remember their email address then they type in there username. But how are they supposed to know which email of theirs to check?
illievee
Forum Newbie
Posts: 1
Joined: Tue Jun 19, 2007 11:35 am

Post by illievee »

I am working on a forgotten password page too - 2 fields, username and email (to match with database).

I could generate a new random password, email the user, have the new password stored in the database (to the right user).
But i am having trouble logging in with the new password. I am using MD5 encrypting method.

Any help?
ps: i'm a total noob :cry:
User avatar
Oren
DevNet Resident
Posts: 1640
Joined: Fri Apr 07, 2006 5:13 am
Location: Israel

Post by Oren »

illievee, please start a new topic (on the "PHP - Code" forum probably) and give us more details and maybe some related code.
User avatar
jayshields
DevNet Resident
Posts: 1912
Joined: Mon Aug 22, 2005 12:11 pm
Location: Leeds/Manchester, England

Post by jayshields »

I haven't read this thread in detail, so sorry if this has already come up.

I just want to say that I dislike "lost your password" methods where the user enters their username and/or email address then the password is chnaged to something random and emailed to them. Why? So someone doesn't like a user on a website and knows their username and/or password, they can not only spam the system (slowing it down) but they can annoy the real user by making them grab this new password from their email and change it back everytime.

I much prefer a method where the user enters username and/or password, then a unique link is sent to them which, upon accessed, resets the password (eg. changes it to something random and then presents it to them in the webpage or a further email). If the link in the email is never clicked then the password remains the same as before.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

How important is the security of the content behind the login? I ask because on the site I built for my company, I ask for their username (which is their email address) first, then if that is found, I take them to a second page where I ask them their password challenge question and accept their response. If that works, they get an email with a new password sent to their email on file. It also deactivates their account and creates an activation code, so they must present their account activation code after they get in the front door after changing their password.

If they don't remember their password challenge and response pair, they actually have to call and verify their identity over the phone using criteria in their account.
Post Reply