Opened 8 years ago

Closed 8 years ago

#14918 closed (wontfix)

Password reset with e-mail OR username

Reported by: Jonas H. Owned by: nobody
Component: contrib.auth Version: master
Severity: Keywords: auth
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no


Some people don't remember with which of their five spam addresses they registered for a site, so it might be convenient to reset your password by entering your username. And the other way round for folks that forget their usernames but not their e-mail addresses.

The implementation approach in the attached patch is to guess whether the entered string is a e-mail or a username.

Attachments (1)

password-reset-with-username.patch (9.2 KB) - added by Jonas H. 8 years ago.
(against 14922)

Download all attachments as: .zip

Change History (3)

Changed 8 years ago by Jonas H.

(against 14922)

comment:1 Changed 8 years ago by Keryn Knight <keryn@…>

Component: UncategorizedAuthentication

Does this not further expose the ability to grief another user with reset-password emails? Usernames are more prevalent as (often persistent) online personas, and emails are, comparatively speaking, closely guarded (largely, I suspect, because of the deluge of spam).

In a scenario such as say, a forum, where people may not always get on, providing the ability to easily send a reset-password email to anyone who's username you can see seems like an open invitation to annoy.

comment:2 Changed 8 years ago by Gabriel Hurley

Resolution: wontfix
Status: newclosed

I would tend to agree with Keryn. While some sites do allow you to recover accounts using data other than email addresses, it's not exactly common practice and definitely has the potential for abuse. If this were ever to be implemented it would need to be a much more comprehensive system, and is probably better suited to maturing in a 3rd party app first.

Note: See TracTickets for help on using tickets.
Back to Top