Why require username for forgotten password?

Do not post support requests, bug reports or feature requests. Discuss phpBB here. Non-phpBB related discussion goes in General Discussion!
Anti-Spam Guide
Big-Jim
Registered User
Posts: 113
Joined: Mon Jan 31, 2011 3:54 pm

Re: Why require username for forgotten password?

Post by Big-Jim » Sun Oct 30, 2011 2:50 pm

I am not against it, I am just saying it seems to me you are asking the phpBB developers to do something that would benefit only a tiny fraction of the people who frequent forums and are the ones who weren't intelligent enough to write their username and password.

Look, if I join a forum I write down my username, password and whatever other information I had to give, in 3 different places. First off, I write the information on a note and tape it to the bottom shelf on my computer desk so it hangs down and I can read it at a glance. Second, I write it down in a little notebook that sits on one of the shelves of the computer desk. Third, I type it into a Word document whose file name is "Web-Site-Passwords" and that way if necessary I can always print out all the information from the different websites I go to. It only takes about 2 minutes to do this. I also make back-ups of my hard drive just in case of a catastrophe.

Now think about it for a minute. If I didn't do the things I mentioned above and I forget my username or password and am not able to access a forum, whose fault is it? It is my contention that I have to learn to safeguard the information I want and/or need. To expect others to spoon feed me is really stupid and I would not expect anyone to have to do that. If we were to follow the spoon feeding mentality it would be like saying when students cannot pass a test, we should give them the answers to make the test easier for them to pass.

To sum this up, in plain English, if someone isn't intelligent enough to write down his/her username and password, then I would not want that person on my forum anyway. I would prefer my forum to have reasonably intelligent members who are capable of discussing whatever issues that are being discussed at the time rather than have members who lack the intelligence to write down their username and password when they join a forum.

User avatar
Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Re: Why require username for forgotten password?

Post by Pony99CA » Sun Oct 30, 2011 6:56 pm

Big-Jim wrote: Look, if I join a forum I write down my username, password and whatever other information I had to give, in 3 different places. First off, I write the information on a note and tape it to the bottom shelf on my computer desk so it hangs down and I can read it at a glance. Second, I write it down in a little notebook that sits on one of the shelves of the computer desk. Third, I type it into a Word document whose file name is "Web-Site-Passwords" and that way if necessary I can always print out all the information from the different websites I go to. It only takes about 2 minutes to do this. I also make back-ups of my hard drive just in case of a catastrophe.
First, writing passwords down is considered poor security. Do you have any online banking or credit card passwords written down? It's better to use a password filler or eWallet that encrypts everything. That way remembering one password allows you to access them all.

Second, what happens if you're not at your computer and want to browse the forum? Do you take that notebook with you everywhere?
Big-Jim wrote: Now think about it for a minute. If I didn't do the things I mentioned above and I forget my username or password and am not able to access a forum, whose fault is it?
Theirs, of course. Does that mean that people shouldn't be helpful? By your logic, OnStar shouldn't provide remote unlocking for people who locked their keys in the car.

You talk about using developer resources to do this, but requiring only one of the two items is probably only a few lines of code.
Big-Jim wrote: To sum this up, in plain English, if someone isn't intelligent enough to write down his/her username and password, then I would not want that person on my forum anyway. I would prefer my forum to have reasonably intelligent members who are capable of discussing whatever issues that are being discussed at the time rather than have members who lack the intelligence to write down their username and password when they join a forum.
Wow, just wow. Just because somebody doesn't work the same way that you do doesn't make them stupid in other areas. In fact, I could argue that writing passwords down is stupid, too. :shock:

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.

User avatar
Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Re: Why require username for forgotten password?

Post by Pony99CA » Sun Oct 30, 2011 7:05 pm

Albert Wiersch wrote:[...]besides, it seems this has already been implemented in an upcoming update, if I am understanding it right (3.0.11-RC1 and 3.1-A1 ):
http://tracker.phpbb.com/browse/PHPBB3-10432
Not necessarily. I've noticed that in other reports, but was told that just means that's the earliest release that it may be worked on. If it doesn't get fixed in that release, they'll just bump it to the next release.

If you look at the Resolution field, it still says "Unresolved", not "Fixed".

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.

Big-Jim
Registered User
Posts: 113
Joined: Mon Jan 31, 2011 3:54 pm

Re: Why require username for forgotten password?

Post by Big-Jim » Sun Oct 30, 2011 8:05 pm

Pony99CA wrote:First, writing passwords down is considered poor security. Do you have any online banking or credit card passwords written down? It's better to use a password filler or eWallet that encrypts everything. That way remembering one password allows you to access them all.
When you are at home using your home computer and you have security issues, then you have a lot more serious problems than not being able to access a forum. By the way, I don't do online banking so there is nothing to write down for that.
Pony99CA wrote:Second, what happens if you're not at your computer and want to browse the forum? Do you take that notebook with you everywhere?
If I am not at my home computer and want to access a forum, I should already know my username and password. But if for some reason I don't know it, then I will wait until I get home and look it up. Accessing a forum is not something that is a life or death issue. My notebook stays at home right where it belongs.
Pony99CA wrote:Theirs, of course. Does that mean that people shouldn't be helpful? By your logic, OnStar shouldn't provide remote unlocking for people who locked their keys in the car.
How you can compare OnStar with this situation is beyond me. OnStar is a paid service, a service for which people pay quite a bit of money for every year. OnStar will unlock your car for you because that is one of the services you are paying them for. So how do you figure a paid service like OnStar is the same thing as this?
Pony99CA wrote:You talk about using developer resources to do this, but requiring only one of the two items is probably only a few lines of code.
What possible difference could it make whether the change takes 2 minutes or 2 days? This would affect only a tiny fraction of the people who visit his forum, people who really should know better in the first place.
Pony99CA wrote:Wow, just wow. Just because somebody doesn't work the same way that you do doesn't make them stupid in other areas. In fact, I could argue that writing passwords down is stupid, too.
You can argue that writing down passwords is stupid if you want to, but the thing is, if you have problems remembering things, then you need to write them down. I am not saying you should write your password or username on a sticky note and attach it to the bottom of your mouse pad at work. That would be silly, anyone in the office would be able to lift the mouse pad and get your username and password. But if you write it down and stick it in your wallet, then nobody is going to find out your password unless you lose your wallet, and if you lose your wallet, you will have more serious problems than a lost password.

When we first got our new computer system at work, one of young women in the office wrote her password down on her left breast. I happened to see her open her blouse a little and lift her bra away from her breast and I asked her what she was doing. That's when she told me she had written her password there. It may sound funny, but it was a pretty good place to hide her password until she had used it for awhile and could remember it.

User avatar
Albert Wiersch
Registered User
Posts: 140
Joined: Sat Dec 11, 2004 6:00 pm
Location: Dallas, TX
Name: Albert Wiersch
Contact:

Re: Why require username for forgotten password?

Post by Albert Wiersch » Mon Oct 31, 2011 12:06 am

Pony99CA wrote:Not necessarily. I've noticed that in other reports, but was told that just means that's the earliest release that it may be worked on. If it doesn't get fixed in that release, they'll just bump it to the next release.

If you look at the Resolution field, it still says "Unresolved", not "Fixed".
That's interesting... thanks for the info. At least they must think it's a good idea, I hope. :D

User avatar
/a3
Registered User
Posts: 411
Joined: Sun Sep 19, 2010 9:08 am
Location: /dev/random

Re: Why require username for forgotten password?

Post by /a3 » Mon Oct 31, 2011 12:51 am

Big-Jim wrote:
Albert Wiersch wrote:Sure, there are some like that, but not everyone on a forum will always find it worth the hassle to stay on it should something like this occur. That's not a fault of the forum. Everyone is different and not everyone is going to give a forum the same value.
Not everyone forgets their username either. If nothing else, tell your membership to write down their username, password and email address, and keep it in a notebook near their computer.

While I certainly don't have any statistics on something like this, I would have to think the percentage of people leaving a forum because they can't remember their username would have to be extremely small. If a member finds this situation to be too big a hassle to deal with, then I have to think that member doesn't care all that much about staying on the forum anyway.
Big-Jim wrote:If I am not at my home computer and want to access a forum, I should already know my username and password. But if for some reason I don't know it, then I will wait until I get home and look it up. Accessing a forum is not something that is a life or death issue. My notebook stays at home right where it belongs.
So you're implying that the "Forgot your password" feature should be removed? :?

The fact is, that feature was never intended to be used very often. And that's the same as the feature being requested - it won't be used very often, but will still be helpful in many cases. It's not like it would add much bloat either; it's only a simple query using the email instead of the username.

User avatar
A_Jelly_Doughnut
Former Team Member
Posts: 34452
Joined: Sat Jan 18, 2003 1:26 am
Location: Where the Rivers Run
Contact:

Re: Why require username for forgotten password?

Post by A_Jelly_Doughnut » Mon Oct 31, 2011 1:24 am

OP wrote:Why require username for forgotten password?
It is not possible to only use email addresses. The relation between user accounts and email addresses is surjective but not injective.

And now in English: It is possible for one email address to correspond to more than one user account in some configurations of phpBB.
A Donut's Blog
"Bach's Prelude (Cello Suite No. 1) is driving Indiana country roads in Autumn" - Ann Kish

User avatar
Albert Wiersch
Registered User
Posts: 140
Joined: Sat Dec 11, 2004 6:00 pm
Location: Dallas, TX
Name: Albert Wiersch
Contact:

Re: Why require username for forgotten password?

Post by Albert Wiersch » Mon Oct 31, 2011 2:25 am

A_Jelly_Doughnut wrote:It is not possible to only use email addresses. The relation between user accounts and email addresses is surjective but not injective.

And now in English: It is possible for one email address to correspond to more than one user account in some configurations of phpBB.
But it could work when the email address corresponds to only one user account, which would be the vast majority of the time.

Big-Jim
Registered User
Posts: 113
Joined: Mon Jan 31, 2011 3:54 pm

Re: Why require username for forgotten password?

Post by Big-Jim » Mon Oct 31, 2011 3:40 am

/a3 wrote:So you're implying that the "Forgot your password" feature should be removed?
Absolutely not, I never said that, nor did I imply it.

Included in the phpBB software is a method to be used should you somehow forget your password. It is quite simple, you click on "I Forgot My Password" and type in your username and email address. But apparently it is felt by some the method the phpBB developers decided to use when a member forgets his/her password is too difficult.

To my way of thinking, the real issue is why do members forget their password or username? All they need do is write it down someplace. Presumably visiting a forum is done at home on your own time, not at work when you are supposed to be doing your job. Who is going to "steal" your username and password at your house? But even if someone does find out your username and password, so what? It isn't like they just got the key to your life savings. So your wife discovers your username and password for a forum. Big deal. I am sure that is a really big security breach, we better get the FBI involved in this one.

User avatar
/a3
Registered User
Posts: 411
Joined: Sun Sep 19, 2010 9:08 am
Location: /dev/random

Re: Why require username for forgotten password?

Post by /a3 » Mon Oct 31, 2011 4:46 am

A_Jelly_Doughnut wrote:
OP wrote:Why require username for forgotten password?
It is not possible to only use email addresses. The relation between user accounts and email addresses is surjective but not injective.

And now in English: It is possible for one email address to correspond to more than one user account in some configurations of phpBB.
Ahh, I only just remembered that. How about an option to enter in either the username OR the email address, and if the email is entered and there is more than one then return an error stating there was more than one match?
Big-Jim wrote:To my way of thinking, the real issue is why do members forget their password or username? All they need do is write it down someplace.
Yes, but phpBB isn't supposed to be changing people's habits.

User avatar
Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Re: Why require username for forgotten password?

Post by Pony99CA » Mon Oct 31, 2011 6:20 am

Albert Wiersch wrote:
A_Jelly_Doughnut wrote:It is not possible to only use email addresses. The relation between user accounts and email addresses is surjective but not injective.

And now in English: It is possible for one email address to correspond to more than one user account in some configurations of phpBB.
But it could work when the email address corresponds to only one user account, which would be the vast majority of the time.
And there's also the Allow e-mail address re-use user registration setting. It wouldn't surprise me if many boards had that set to No.

Of course, user names are always unique. ;)
/a3 wrote:How about an option to enter in either the username OR the email address, and if the email is entered and there is more than one then return an error stating there was more than one match?
That's basically what I suggested earlier -- without the error message because I too forgot about multiple E-mail addresses.

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.

User avatar
Pony99CA
Registered User
Posts: 4783
Joined: Thu Sep 30, 2004 3:13 pm
Location: Hollister, CA
Name: Steve
Contact:

Re: Why require username for forgotten password?

Post by Pony99CA » Mon Oct 31, 2011 6:43 am

Big-Jim wrote:
Pony99CA wrote:Theirs, of course. Does that mean that people shouldn't be helpful? By your logic, OnStar shouldn't provide remote unlocking for people who locked their keys in the car.
How you can compare OnStar with this situation is beyond me. OnStar is a paid service, a service for which people pay quite a bit of money for every year. OnStar will unlock your car for you because that is one of the services you are paying them for. So how do you figure a paid service like OnStar is the same thing as this?
You compared helping people remember their passwords with giving students answers to tests they failed. I figured one ridiculous analogy deserved another. :lol:

Regardless, if it's a useful service that people pay for, isn't it even better for people if it's free? :shock:

Also, remember that some boards are for profit -- either offering more access for donations or supported by ads. Either way, they want to make the user experience as good as possible, even in unlikely events like forgetting one's password.
Big-Jim wrote:
Pony99CA wrote:You talk about using developer resources to do this, but requiring only one of the two items is probably only a few lines of code.
What possible difference could it make whether the change takes 2 minutes or 2 days?
Besides the obvious (how long it takes), I don't know -- you're the one who raised the issue of developer time. Maybe it's low-hanging fruit that a developer could knock off when they had a little free time, but not enough to address a bigger feature.
Big-Jim wrote: When we first got our new computer system at work, one of young women in the office wrote her password down on her left breast. I happened to see her open her blouse a little and lift her bra away from her breast and I asked her what she was doing. That's when she told me she had written her password there. It may sound funny, but it was a pretty good place to hide her password until she had used it for awhile and could remember it.
She better hope that she doesn't hook up with somebody at the office. If they had a bad break-up, he'd have easy access to her work account for mischief. :lol:
Big-Jim wrote:
/a3 wrote:So you're implying that the "Forgot your password" feature should be removed?
Absolutely not, I never said that, nor did I imply it.

Included in the phpBB software is a method to be used should you somehow forget your password. It is quite simple, you click on "I Forgot My Password" and type in your username and email address.
Yes, so you agree that it's a useful feature, apparently. So what's the big deal with making it a bit easier? Does it hurt you in any way?
Big-Jim wrote:To my way of thinking, the real issue is why do members forget their password or username? All they need do is write it down someplace. Presumably visiting a forum is done at home on your own time, not at work when you are supposed to be doing your job. Who is going to "steal" your username and password at your house? But even if someone does find out your username and password, so what? It isn't like they just got the key to your life savings. So your wife discovers your username and password for a forum. Big deal. I am sure that is a really big security breach, we better get the FBI involved in this one.
You sure do presume a lot. You presume that people who don't anal-retentively write their passwords down in triplicate are unintelligent and unworthy of your glorious board. You presume that people don't browse the Web (and forums) during their lunch hours and that no companies allow that as acceptable use. You presume that they don't visit forums on vacations, business trips, from their mobile devices, etc. You presume that a wife finding a forum user name and password isn't a big deal even if the husband is visiting a less-than-savory site. You really need to stop with the unfounded presumptions.

Steve
Silicon Valley Pocket PC (http://www.svpocketpc.com)
Creator of manage_bots and spoof_user (ask me)
Need hosting for a small forum with full cPanel & MySQL access? Contact me or PM me.

User avatar
drathbun
Former Team Member
Posts: 12204
Joined: Thu Jun 06, 2002 3:51 pm
Location: TOPICS_TABLE
Contact:

Re: Why require username for forgotten password?

Post by drathbun » Mon Oct 31, 2011 1:18 pm

For what it's worth, I have several options on my board. First, the "I forgot my password" which requires both the username and email address, as is standard. Next, an option for "I forgot my username" which requires only the email address. This means if someone has forgotten their password and their username, they'll have to go through two steps. Which could be viewed as unfortunate. The forgotten username will send only the username to the registered email address, at which point they now have the two components required to get a password reset.

I created the "forgotten username" feature because yes, I had quite a few requests from folks that forgot their password and also their username, but they should never forget their email address. It's far more likely that the email address has expired (either because of a job change or the user simply moving on to a new email provider).

But I think that the philosophy behind requiring both the username and email address for a password reset is a good one. It cuts down on the non-legitimate password reset requests because a bot writer would have to have access to both the username and the email address, and with many phpBB boards the email address is not readily available.

If someone forgets their username, password, ande email address, then there is a contact form they can use to contact the board admin team and try to straighten things out.
I blog about phpBB: phpBBDoctor blog
Still using phpbb2? So am I! Click below for details
Image

User avatar
Albert Wiersch
Registered User
Posts: 140
Joined: Sat Dec 11, 2004 6:00 pm
Location: Dallas, TX
Name: Albert Wiersch
Contact:

Re: Why require username for forgotten password?

Post by Albert Wiersch » Mon Oct 31, 2011 1:23 pm

Pony99CA wrote:You sure do presume a lot. You presume that people who don't anal-retentively write their passwords down in triplicate are unintelligent and unworthy of your glorious board. You presume that people don't browse the Web (and forums) during their lunch hours and that no companies allow that as acceptable use. You presume that they don't visit forums on vacations, business trips, from their mobile devices, etc. You presume that a wife finding a forum user name and password isn't a big deal even if the husband is visiting a less-than-savory site. You really need to stop with the unfounded presumptions.

Steve
Not to mention Big-Jim also presuming that visiting a forum is done on one's own time and not at work. A lot of businesses & gov't organizations use our software, so visiting the support forum is often work-related.

Anyway, regarding this issue, it doesn't matter WHY people lose their passwords; what matters is that they DO lose their passwords... and when they do, there should be an easy and secure way to recover or reset them.

Big-Jim
Registered User
Posts: 113
Joined: Mon Jan 31, 2011 3:54 pm

Re: Why require username for forgotten password?

Post by Big-Jim » Mon Oct 31, 2011 2:08 pm

Albert Wiersch wrote:Anyway, regarding this issue, it doesn't matter WHY people lose their passwords; what matters is that they DO lose their passwords... and when they do, there should be an easy and secure way to recover or reset them.
The developers of the phpBB forum software have already included an easy and secure way to do it.

Post Reply

Return to “phpBB Discussion”

Who is online

Users browsing this forum: No registered users and 26 guests