Why require username for forgotten password?

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Suggested Hosts
Albert Wiersch
Registered User
Posts: 145
Joined: Sat Dec 11, 2004 6:00 pm
Location: Dallas, TX
Name: Albert Wiersch
Contact:

Re: Why require username for forgotten password?

Post by Albert Wiersch » Mon Oct 31, 2011 2:15 pm

Big-Jim wrote:The developers of the phpBB forum software have already included an easy and secure way to do it.
Not if you forgot your username.

Big-Jim
Registered User
Posts: 113
Joined: Mon Jan 31, 2011 3:54 pm

Re: Why require username for forgotten password?

Post by Big-Jim » Mon Oct 31, 2011 2:29 pm

Pony99CA wrote: You sure do presume a lot. You presume that people who don't anal-retentively write their passwords down in triplicate are unintelligent and unworthy of your glorious board. You presume that people don't browse the Web (and forums) during their lunch hours and that no companies allow that as acceptable use. You presume that they don't visit forums on vacations, business trips, from their mobile devices, etc. You presume that a wife finding a forum user name and password isn't a big deal even if the husband is visiting a less-than-savory site. You really need to stop with the unfounded presumptions.

Steve
The opening poster says some of his membership can remember their email address, but not their username. OK, so if the forgetful people start looking thru some of the topics/threads they have posted in, (here goes that terrible word again) "presumably" they would recognize their username. At that point they would have the normal phpBB method of getting their password back again.

If you honestly believe this is a good idea, then perhaps you should sit down and write the opening poster a "Password Recovery Modification". This would essentially do two things. It would make him a happy camper, and it would make you a very helpful person.

Big-Jim
Registered User
Posts: 113
Joined: Mon Jan 31, 2011 3:54 pm

Re: Why require username for forgotten password?

Post by Big-Jim » Mon Oct 31, 2011 2:30 pm

Albert Wiersch wrote:Not if you forgot your username.
Tell them to write it down someplace safe.

Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Re: Why require username for forgotten password?

Post by Pony99CA » Mon Oct 31, 2011 8:10 pm

Big-Jim wrote: The opening poster says some of his membership can remember their email address, but not their username. OK, so if the forgetful people start looking thru some of the topics/threads they have posted in, (here goes that terrible word again) "presumably" they would recognize their username. At that point they would have the normal phpBB method of getting their password back again.
Except that there are some sites that don't allow Guests to browse the forum. If those sites also prohibit E-mail address reuse, the person might have to first register for a free E-mail account, then re-register with the board, then PM the board owner to say that he had forgotten the user name for E-mail address forgetful@example.com. Those are a lot of hoops to jump through.
Big-Jim wrote:If you honestly believe this is a good idea, then perhaps you should sit down and write the opening poster a "Password Recovery Modification". This would essentially do two things. It would make him a happy camper, and it would make you a very helpful person.
First, I like to think that I'm already very helpful (see my manage_bots script, for example). :D

Second, it's not that I think the OP's idea is that good (especially if only limited to using E-mail addresses in case somebody forgot their user name), it's that I think that only requiring one piece of information makes the password recovery piece of the board a bit more friendly without compromising security. (Oh, and for those who think that only requiring a user name would allow too much mischief, the answer is very simple -- put a CAPTCHA on the password recovery page. :))

It's not like we're asking for a whole new infrastructure component, like security questions that you find at banking and credit card sites. It's not the feature that I'd want the most, but it would be a nice little kicker to add in if the development team had a little free time.

Anyway, I think that all of the "major players" in this topic understand the positions of the others (Albert wants it, I'm OK with it if it adds the ability to just require the user name, Big-Jim thinks that it's a waste of time and effort), so unless somebody has something new to add, or somebody new wants to voice their opinion, can we leave it at that? An improvement request has been opened, so the ball is in the developers' court.

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.

splud
Registered User
Posts: 4
Joined: Mon Mar 19, 2012 10:10 pm

Re: Why require username for forgotten password?

Post by splud » Fri Apr 13, 2012 12:44 am

Big-Jim wrote:Included in the phpBB software is a method to be used should you somehow forget your password. It is quite simple, you click on "I Forgot My Password" and type in your username and email address. But apparently it is felt by some the method the phpBB developers decided to use when a member forgets his/her password is too difficult.
Not too difficult for me - but then I don't forget my credentials. However, "joe user" isn't necessarily organized, and why should the forum admin be penalized for the failure of a user to remember their details? The same person who didn't write their password in three different places probably didn't write their username down either. When they attempt to create a new account using the same email address, unless the board is configured to allow it (why?), they'll be told that address is already used - but that gets them no closer to resetting the password or being reminded of the userid for the account.

All you have to do is look at twitter and other social networks to realize just how many morons exist out there.
Presumably visiting a forum is done at home on your own time, not at work when you are supposed to be doing your job.
You conveniently overlook that many forums are support forums, not social groups. People at work may need to seek support for software, hardware, or whatever.

If it's an official product support forum, the company is presumably paying for the time of one or more individuals to administer them, so the more userid/password help requests they deal with, the less other productive things that employee is doing for the company, whether it be within the forums, or on the phone, or whatever. It costs them money. In the case of social/hobby forums, the individual managing the forums may not be getting paid for their time - so it's a real waste when they've got to take the time to deal with some frustrated user, when the software should be able to facilitate the password reset without admin intervention. After all, the current implementation is clearly intended to allow the users to deal with it themselves - it's just that for some sites, it'd be nice if it allowed the user to use the one thing they should be able to remember - their own email address.

More often than not, when a forum becomes popular, there will be userid collisions - someone will create a new account and find that they can't use the same userid they've used on some other site. Perhaps they're "Big Richard" on one site, but on another that's taken, so they have to be "Richard420" or just "Big Dick". They can be using the same email address on the different sites (possibly their ISP address or some freemail account, but outside geekland, most users don't have multiples of email addresses, and most can't handle setting up email filters for that matter). Depending upon forum configuration, with some forums you MUST create a new account just to search to see if someone has posted a question/answer relating to a problem you're having (i.e. is this site even likely to be of any use). Six months later when that user comes back to the site researching a different problem, are they really going to remember the first account they barely used? What if they're doing it from a public access computer? When I go to the public library, the dozen-plus terminals they have are always occupied - some of those people may not have a computer or internet access at home, and there's good odds they don't have a password manager available to them while at the public terminal. A friend's house? The office vs. home? My wife's work computer is running software that prohibits use of unsecured USB keys, so she can't pop a USB key in with her personal stuff on it for instance, and forget about having personal software or files stored on the work computer HD, where they're backed up to a corporate server.

As to "forum access is never life and death", I'll generally agree - call 911 (or whatever your countries emergency number is) if you have an actual emergency. However, automotive owner support forums, possibly accessed from a mobile device can provide diagnostic insights to get your car running when you're stuck someplace. I kid you not - the forum I'm dealing with porting right now has done that many times.

Let's face it - the average consumer isn't hanging around on the phpBB support forums - other than having seen the moniker on a few sites they use, they haven't a clue what a phpBB is (or even what PHP or BB individually stand for). So your organized approach to things has no bearing on the reality of a typical user.

Network configuration, hardware issues, and malware all strike me as things which would push a user to accessing a forum from a system they don't normally use. It's not like the average user has ever had malware on their computer, right? Malware and hardware failures easily result in users losing their "web passwords.txt" file, even if smart people ALWAYS do backups - the simple fact is that most people DO NOT. Or when they've done an ONLINE backup, they don't have access to it while they're trying to sort their system.

Hopefully they can remember their own email account password, but if not, the good news is that the phpBB forum admin has zero responsibility to help them sort THAT problem out.

Unless there's some compelling security reason to not permit password resets with the use of just a email address (which could still be a configuration option), it would make things easier. The potential for bots to abuse a password reset request form can be minimized by utilizing captcha (as the account creation form already can/does).

Users with multiple email accounts or email aliases (besides a work address and a personal one), more than likely have some logic to maintaining multiple accounts - perhaps they use one with family, and another with online forums, and yet another with banking interests (i.e. an address which isn't used in discussion groups). At that point, it seems reasonable to expect those users to sort out which of their emails is used for what. Presumably, they can log in to each of them to retrieve the email which will be sent there, and if they're so active they have separate email addresses for things, they're probably on multiple forums as well, which underscores the need to be able to use the email interchangeably as their login/reset request credential.

Bottom line: the current phpBB password reset mechanism already requires the user to remember their email address, so why not give the admins the option of requiring only that (OR the userid)? Since the password isn't actually reset unless the recipient follows the link, it's little more than a potential annoyance, and excepting email address verification (which attempting to sign up for a new account will already accomplish without having to know the userid), a spammer can't make use of it to send their own message content via the forum host. In fact, setting up a new account and providing an email address which isn't yours could still be used to indirectly harass people, since you could have the forum sending them signup confirmation requests - there's little difference between that and requesting a password reset, excepting at least a reset would require that the recipient address be registered already - a new account could harass people who have nothing do do with your site in the first place.
Big-Jim wrote:Who is going to "steal" your username and password at your house? But even if someone does find out your username and password, so what? It isn't like they just got the key to your life savings.
You're suggesting the solution to the problem is the site admins somehow educating their users to follow insecure practices? The problem exists - users forget their passwords. And, they forget userids too. Their email is less likely to be forgotten, because there's a reasonable chance they check that at least every few days, if not more often.

Rob Leeson
Registered User
Posts: 8
Joined: Wed Sep 25, 2013 10:57 am

Re: Why require username for forgotten password?

Post by Rob Leeson » Fri Nov 16, 2018 5:45 pm

Wow! I can't believe anyone would argue against implementing this. Does the term 'user friendly' mean nothing to some people?

I also can't believe this discussion was in 2011/12 and it's still not been fixed. To log in to this site to reply I just had to trawl through my emails from two years ago to find my username. Lucky I don't delete anything.

The reason I'm posting is because I've just had to explain to the new administrator of a PhpBB forum, that I used to run at work, how they go about finding someone's username when someone emails to say they've forgotten their log in details. They were not impressed!

Luckily the guy's username was just his name. Although he still forgot it! Had it been something more cryptic or registered under a different email address to the one he'd contacted us on, it would have been even more time consuming.

Nowadays people often rely on password resets every time they use a site. There's no need to write anything down and it's much easier than remembering multiple passwords. This is another reason why this functionality needs to work properly. This doesn't seem to have been mentioned above, which (combined with my frustration) is my reason for posting on this old thread.

User avatar
3Di
Former Team Member
Posts: 14381
Joined: Mon Apr 04, 2005 11:09 pm
Location: Milan (IT) Frankfurt (DE)
Name: Marco
Contact:

Re: Why require username for forgotten password?

Post by 3Di » Fri Nov 16, 2018 6:15 pm

As of phpBB 3.2.4-RC1 the username is not required any more.

https://tracker.phpbb.com/browse/PHPBB3-10432
https://github.com/phpbb/phpbb/pull/4223
Please PM me only to request paid works. Thx.
Want to compensate me for my interest? Donate
My development's activity º PhpStorm's proud user
Extensions, Scripts, MOD porting, Update/Upgrades
✒️ Black Friday 2019 @ The Studio ▪️◾️

Albert Wiersch
Registered User
Posts: 145
Joined: Sat Dec 11, 2004 6:00 pm
Location: Dallas, TX
Name: Albert Wiersch
Contact:

Re: Why require username for forgotten password?

Post by Albert Wiersch » Fri Nov 16, 2018 7:34 pm

3Di wrote:
Fri Nov 16, 2018 6:15 pm
As of phpBB 3.2.4-RC1 the username is not required any more.

https://tracker.phpbb.com/browse/PHPBB3-10432
https://github.com/phpbb/phpbb/pull/4223
Awesome! And it only took a little more than 7 years since I started this topic! :D

But seriously... I'm happy to see this change made. A special thanks to the developers that made it happen and probably got paid little or nothing to do it.

User avatar
JimA
Community Team Leader
Community Team Leader
Posts: 7663
Joined: Thu Jul 31, 2008 5:54 am
Location: The Netherlands
Name: Jim Mossing Holsteyn
Contact:

Re: Why require username for forgotten password?

Post by JimA » Sat Nov 17, 2018 12:08 am

Albert Wiersch wrote:
Fri Nov 16, 2018 7:34 pm
A special thanks to the developers that made it happen and probably got paid little or nothing to do it.
Happy to hear both of you satisfied with this change. Emphasis in the quote is mine.

It's never an excuse for anything, but I just wanted to just point out that nobody involved in development of phpBB in any official manner is getting paid to do so through us. It's all on a volunteer basis. :)
Image Jim Mossing Holsteyn - Community Team Leader
Knowledge Base | Documentation | Board rules

If you're having any questions about the rules/customs of this website, feel free to drop me a PM.

Post Reply

Return to “phpBB Discussion”

cron