Opened 13 years ago
Closed 13 years ago
#14918 closed (wontfix)
Password reset with e-mail OR username
| Reported by: | Jonas H. | Owned by: | nobody |
|---|---|---|---|
| Component: | contrib.auth | Version: | dev |
| Severity: | Keywords: | auth | |
| Cc: | Triage Stage: | Unreviewed | |
| Has patch: | yes | Needs documentation: | no |
| Needs tests: | no | Patch needs improvement: | no |
| Easy pickings: | no | UI/UX: | no |
Description
Some people don't remember with which of their five spam addresses they registered for a site, so it might be convenient to reset your password by entering your username. And the other way round for folks that forget their usernames but not their e-mail addresses.
The implementation approach in the attached patch is to guess whether the entered string is a e-mail or a username.
Attachments (1)
Change History (3)
by , 13 years ago
| Attachment: | password-reset-with-username.patch added |
|---|
comment:1 by , 13 years ago
| Component: | Uncategorized → Authentication |
|---|
Does this not further expose the ability to grief another user with reset-password emails? Usernames are more prevalent as (often persistent) online personas, and emails are, comparatively speaking, closely guarded (largely, I suspect, because of the deluge of spam).
In a scenario such as say, a forum, where people may not always get on, providing the ability to easily send a reset-password email to anyone who's username you can see seems like an open invitation to annoy.
comment:2 by , 13 years ago
| Resolution: | → wontfix |
|---|---|
| Status: | new → closed |
I would tend to agree with Keryn. While some sites do allow you to recover accounts using data other than email addresses, it's not exactly common practice and definitely has the potential for abuse. If this were ever to be implemented it would need to be a much more comprehensive system, and is probably better suited to maturing in a 3rd party app first.
(against 14922)