Big-Jim wrote:Included in the phpBB software is a method to be used should you somehow forget your password. It is quite simple, you click on "I Forgot My Password" and type in your username and email address. But apparently it is felt by some the method the phpBB developers decided to use when a member forgets his/her password is too difficult.
Not too difficult for me - but then I don't forget my credentials. However, "joe user" isn't necessarily organized, and why should the forum admin be penalized for the failure of a user to remember their details? The same person who didn't write their password in three different places probably didn't write their username down either. When they attempt to create a new account using the same email address, unless the board is configured to allow it (why?), they'll be told that address is already used - but that gets them no closer to resetting the password or being reminded of the userid for the account.
All you have to do is look at twitter and other social networks to realize just how many morons exist out there.
Presumably visiting a forum is done at home on your own time, not at work when you are supposed to be doing your job.
You conveniently overlook that many forums are support forums, not social groups. People at work may need to seek support for software, hardware, or whatever.
If it's an official product support forum, the company is presumably paying for the time of one or more individuals to administer them, so the more userid/password help requests they deal with, the less other productive things that employee is doing for the company, whether it be within the forums, or on the phone, or whatever. It costs them money. In the case of social/hobby forums, the individual managing the forums may not be getting paid for their time - so it's a real waste when they've got to take the time to deal with some frustrated user, when the software should be able to facilitate the password reset without admin intervention. After all, the current implementation is clearly intended to allow the users to deal with it themselves - it's just that for some sites, it'd be nice if it allowed the user to use the one thing they should be able to remember - their own email address.
More often than not, when a forum becomes popular, there will be userid collisions - someone will create a new account and find that they can't use the same userid they've used on some other site. Perhaps they're "Big Richard" on one site, but on another that's taken, so they have to be "Richard420" or just "Big Dick". They can be using the same email address on the different sites (possibly their ISP address or some freemail account, but outside geekland, most users don't have multiples of email addresses, and most can't handle setting up email filters for that matter). Depending upon forum configuration, with some forums you MUST create a new account just to search to see if someone has posted a question/answer relating to a problem you're having (i.e. is this site even likely to be of any use). Six months later when that user comes back to the site researching a different problem, are they really going to remember the first account they barely used? What if they're doing it from a public access computer? When I go to the public library, the dozen-plus terminals they have are always occupied - some of those people may not have a computer or internet access at home, and there's good odds they don't have a password manager available to them while at the public terminal. A friend's house? The office vs. home? My wife's work computer is running software that prohibits use of unsecured USB keys, so she can't pop a USB key in with her personal stuff on it for instance, and forget about having personal software or files stored on the work computer HD, where they're backed up to a corporate server.
As to "forum access is never life and death", I'll generally agree - call 911 (or whatever your countries emergency number is) if you have an actual emergency. However, automotive owner support forums, possibly accessed from a mobile device can provide diagnostic insights to get your car running when you're stuck someplace. I kid you not - the forum I'm dealing with porting right now has done that many times.
Let's face it - the average consumer isn't hanging around on the phpBB support forums - other than having seen the moniker on a few sites they use, they haven't a clue what a phpBB is (or even what PHP or BB individually stand for). So your organized approach to things has no bearing on the reality of a typical user.
Network configuration, hardware issues, and malware all strike me as things which would push a user to accessing a forum from a system they don't normally use. It's not like the average user has ever had malware on their computer, right? Malware and hardware failures easily result in users losing their "web passwords.txt" file, even if smart people ALWAYS do backups - the simple fact is that most people DO NOT. Or when they've done an ONLINE backup, they don't have access to it while they're trying to sort their system.
Hopefully they can remember their own email account password, but if not, the good news is that the phpBB forum admin has zero responsibility to help them sort THAT problem out.
Unless there's some compelling security reason to not permit password resets with the use of just a email address (which could still be a configuration option), it would make things easier. The potential for bots to abuse a password reset request form can be minimized by utilizing captcha (as the account creation form already can/does).
Users with multiple email accounts or email aliases (besides a work address and a personal one), more than likely have some logic to maintaining multiple accounts - perhaps they use one with family, and another with online forums, and yet another with banking interests (i.e. an address which isn't used in discussion groups). At that point, it seems reasonable to expect those users to sort out which of their emails is used for what. Presumably, they can log in to each of them to retrieve the email which will be sent there, and if they're so active they have separate email addresses for things, they're probably on multiple forums as well, which underscores the need to be able to use the email interchangeably as their login/reset request credential.
Bottom line: the current phpBB password reset mechanism already requires the user to remember their email address, so why not give the admins the option of requiring only that (OR the userid)? Since the password isn't actually reset unless the recipient follows the link, it's little more than a potential annoyance, and excepting email address verification (which attempting to sign up for a new account will already accomplish without having to know the userid), a spammer can't make use of it to send their own message content via the forum host. In fact, setting up a new account and providing an email address which isn't yours could still be used to indirectly harass people, since you could have the forum sending them signup confirmation requests - there's little difference between that and requesting a password reset, excepting at least a reset would require that the recipient address be registered already - a new account could harass people who have nothing do do with your site in the first place.
Big-Jim wrote:Who is going to "steal" your username and password at your house? But even if someone does find out your username and password, so what? It isn't like they just got the key to your life savings.
You're suggesting the solution to the problem is the site admins somehow educating their users to follow insecure practices? The problem exists - users forget their passwords. And, they forget userids too. Their email is less likely to be forgotten, because there's a reasonable chance they check that at least every few days, if not more often.