Code

Opened 3 years ago

Closed 3 years ago

#14918 closed (wontfix)

Password reset with e-mail OR username

Reported by: jonash Owned by: nobody
Component: contrib.auth Version: master
Severity: Keywords: auth
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: UI/UX:

Description

Some people don't remember with which of their five spam addresses they registered for a site, so it might be convenient to reset your password by entering your username. And the other way round for folks that forget their usernames but not their e-mail addresses.

The implementation approach in the attached patch is to guess whether the entered string is a e-mail or a username.

Attachments (1)

password-reset-with-username.patch (9.2 KB) - added by jonash 3 years ago.
(against 14922)

Download all attachments as: .zip

Change History (3)

Changed 3 years ago by jonash

(against 14922)

comment:1 Changed 3 years ago by Keryn Knight <keryn@…>

  • Component changed from Uncategorized to Authentication
  • Needs documentation unset
  • Needs tests unset
  • Patch needs improvement unset

Does this not further expose the ability to grief another user with reset-password emails? Usernames are more prevalent as (often persistent) online personas, and emails are, comparatively speaking, closely guarded (largely, I suspect, because of the deluge of spam).

In a scenario such as say, a forum, where people may not always get on, providing the ability to easily send a reset-password email to anyone who's username you can see seems like an open invitation to annoy.

comment:2 Changed 3 years ago by gabrielhurley

  • Resolution set to wontfix
  • Status changed from new to closed

I would tend to agree with Keryn. While some sites do allow you to recover accounts using data other than email addresses, it's not exactly common practice and definitely has the potential for abuse. If this were ever to be implemented it would need to be a much more comprehensive system, and is probably better suited to maturing in a 3rd party app first.

Add Comment

Modify Ticket

Change Properties
<Author field>
Action
as closed
as The resolution will be set. Next status will be 'closed'
The resolution will be deleted. Next status will be 'new'
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.