Zarel
commented
7 years ago This is already planned with a Google login option...
Open panpawn opened 7 years ago
Zarel
commented
7 years ago This is already planned with a Google login option...
panpawn
commented
7 years ago ... oh? I didn't realize the two were related
Zarel
commented
10 months ago Let me be clearer. I do think that it is a problem that we don't currently have any recourse for users who forget their passwords.
The usual solution is for users to provide an email address, to which we can email passwords. This is blocked by us not having email infrastructure, because email infrastructure and email reputation in general is a huge mess.
I think a simple end-run is to support Google login. This makes "forgot password" Google's problem, rather than ours. That's my current preferred solution.
Many sites feature a "forgot password" feature that make for resetting passwords to be a lot easier than it is on PS.
What if: account registration stays the same as it is now, and once you register and your account is autoconfirmed (or even before it's autoconfirmed maybe), you have an option when you click the Settings button to "Link email address (used strictly for password resets)". When a user uses this button, it would have them verify their current password, and possibly send an email verification as well.
Then, when it comes time to reset the password, we would have a "forgot password" button. This button would have you enter the account name as well as the email address associated with the account. The reason why we would verify the email address again at this step is so that 1. an email wouldn't get spammed with unnecessary password reset requests, and 2. so that we can store emails hashed on the login server as we do with passwords. The benefit of storing them hashed is also that if PS were to get hacked, emails would require as much work as password to crack.
Thoughts?