Opened 14 years ago

Closed 14 years ago

#14918 closed (wontfix)

Password reset with e-mail OR username

Reported by: Jonas H. Owned by: nobody
Component: contrib.auth Version: dev
Severity: Keywords: auth
Cc: Triage Stage: Unreviewed
Has patch: yes Needs documentation: no
Needs tests: no Patch needs improvement: no
Easy pickings: no UI/UX: no

Description

Some people don't remember with which of their five spam addresses they registered for a site, so it might be convenient to reset your password by entering your username. And the other way round for folks that forget their usernames but not their e-mail addresses.

The implementation approach in the attached patch is to guess whether the entered string is a e-mail or a username.

Attachments (1)

password-reset-with-username.patch (9.2 KB ) - added by Jonas H. 14 years ago.
(against 14922)

Download all attachments as: .zip

Change History (3)

by Jonas H., 14 years ago

(against 14922)

comment:1 by Keryn Knight <keryn@…>, 14 years ago

Component: UncategorizedAuthentication

Does this not further expose the ability to grief another user with reset-password emails? Usernames are more prevalent as (often persistent) online personas, and emails are, comparatively speaking, closely guarded (largely, I suspect, because of the deluge of spam).

In a scenario such as say, a forum, where people may not always get on, providing the ability to easily send a reset-password email to anyone who's username you can see seems like an open invitation to annoy.

comment:2 by Gabriel Hurley, 14 years ago

Resolution: wontfix
Status: newclosed

I would tend to agree with Keryn. While some sites do allow you to recover accounts using data other than email addresses, it's not exactly common practice and definitely has the potential for abuse. If this were ever to be implemented it would need to be a much more comprehensive system, and is probably better suited to maturing in a 3rd party app first.

Note: See TracTickets for help on using tickets.
Back to Top