/
Misleading password reset instructions [5.2.2-B1]

Misleading password reset instructions [5.2.2-B1]

Owned by Alex
Last updated: Mar 01, 2017

When writing [security] Forgot password for Administrators [5.3.0-B1] I've also reviewed how current "Forgot Password" system works on Front-End. Honestly I was quite shocked by how the misleading password reset instructions are.

Current password reset workflow looks like this:

User ActionScreenshotProblemSolution (Changes to be made)

user clicks on the "Forgot password?" link at the bottom of login sidebox

Link font is quite small, but that's not misleading really.no changes
user sees the first forgot password wizard step
  1. The message says, that user account information will be sent to e-mail that he mentioned in his account. This is not correct, because In-Portal won't ever send user account information over e-mail.
  2. The button says "Recover Password". This is not correct, because In-Portal doesn't help user to recover his existing password. Instead one time password change link is e-mail to the user.
  3. The page title says "Forgot Password". This is correct, but misleading as well, because it doesn't tell to the user, that:
    1. this is forgot password wizard
    2. wizard consists of 3 steps and this is 1st step

Following navigation bar would be in order: "Home > Forgot Password? > Step 1 of 3".

  1. change text to "Enter your Username or Email below to continue with resetting your password"

  2. change button to "Continue"
     
  3. change Page title to "Forgot Password (Step 1 of 4)"

 

once user enters his username/e-mail and presses "Recover Password" button (or presses ENTER):

  • the confirmation screen is shown
  • the e-mail is sent out to the user

  1. The message says, that user will receive new password if he/she follows the link in e-mail that was sent. This is not correct, because once link in e-mail is clicked user will be forwarded to password change form, where he/she can enter new password.
  2. The text after the link says, that user will receive the second e-mail containing his/her new password. This is not correct, because:
    1. no second e-mail will be sent
    2. user will be able to enter his new password right on the page that is opened by provided link.
  3. The last sentence says, that your password will be changed once above link is clicked. This is not correct because password only will be changed if on page (from the link) user will choose to save his new password.

Following navigation bar would be in order: "Home > Forgot Password? > Step 2 of 3".

  1. change text (An automatic email has...) to "An automatic email has been sent to your email on file. please follow the link in that email to set your new password"

  2. REMOVE "OK" button - no needed
  3. change Page title to "Forgot Password (Step 2 of 4)"
  4. change email to ready this:

    ======
    Hello,<br/><br/>

    It seems that you have requested a password reset for your account. If you would like to proceed with the change of your old password, please click on the link below:<br/><br/>

    <a href="<inp2:u_ConfirmPasswordLink no_amp="1"/>"><inp2:u_ConfirmPasswordLink no_amp="1"/></a><br/><br/>

    Once clicked, you'll be taken to taken to the page where you can set your new password.<br/><br/>

    If you believe you have received this email in error, please ignore this email. Your password will not be changed unless you successfully change it by following the above link.

    ======


once user clicked on a link, then he sees password change form
  1. The page title says "Password Request Confirmation". This is incorrect because nobody confirms, that he/she is requested password on this page.
  2. Text above password fields says, that user needs to confirm, that he/she wants to reset a password. This is incorrect, because we're on form, where new password should be entered. There is no need to confirm anything at this point.
  3. The password field labels are the same as on "My Profile" page ("Password" and "Verify Password"). This is incorrect, because this isn't user existing password, but the new password and confirmation of his/her new password.
  4. The button below the form says "Update". This too general title for form, that is only designed for new password entry.
  5. User isn't logged-in, when using this form, which is strange, because password reset link must auto-login user and then allow him/her to change password.

Following navigation bar would be in order: "Home > Forgot Password? > Step 3 of 3".

  1. change Page title to "Forgot Password (Step 3 of 4)"
     
  2. change text below title to "Please enter your new password"

  3. change labels to be "New Password" and "Repeat New Password" - make sure no wrapping

  4. change button to "Set New Password"
     
  5. I am not sure if we need to auto-login the user - I guess we can if it's NOT too hard.
once user presses "Update" button he'll sees confirmation window

  1. The page title says: "Forgot Password Confirmation". This is incorrect because we're not confirming, that we've forgotten the password, but instead confirming that password was updated successfully.
  2. The text says: "Your password has been reset. The new password has been sent to your e-mail address. You may now login with the new password.". This is incorrect because:
    1. password was updated instead of reset
    2. password wasn't sent to email
    3. user is logged-in automatically
  1. change Page title to "New Password Confirmation (Step 4 of 4)"
     
  2. change text below title to "Your password has been successfully changed."

Solution

  1. add these new phrases:
    • "lu_title_ForgotPasswordStep1" with "Forgot Password (Step 1 of 4)" translation
    • "lu_title_ForgotPasswordStep2" with "Forgot Password (Step 2 of 4)" translation
    • "lu_title_ForgotPasswordStep3" with "Forgot Password (Step 3 of 4)" translation
    • "lu_title_ForgotPasswordStep4" with "Forgot Password (Step 4 of 4)" translation
    • "lu_btn_Continue" with "Continue" translation
    • "lu_text_ForgotPassResetChangeForm" with "Please enter your new password" translation
    • "lu_fld_NewPassword" with "New Password" translation
    • "lu_fld_VerifyNewPassword" with "Repeat New Password" translation
    • "lu_btn_SetNewPassword" with "Set New Password" translation
  2. change translation of "lu_EnterForgotUserEmail" phrase to "Enter your Username or Email below to continue with resetting your password."
  3. on "/themes/advanced/platform/login/forgot_password.tpl" template:
    • use "lu_btn_Continue" phrase instead of "lu_btn_SendPassword" phrase (1 place)
    • use "lu_title_ForgotPasswordStep1" phrase instead of "lu_title_ForgotPassword" phrase (3 places)
  4. in "lu_text_ForgotPassResetEmailSent" phrase change "Please follow the link in the email in order to receive a new password." to "Please follow the link in that email to set your new password."
  5. on "/themes/advanced/platform/login/forgot_password_reset_notice.tpl" template:
    • use "lu_title_ForgotPasswordStep2" instead of "lu_title_ForgotPasswordNotification" (3 places)
    • replace "<form" containing OK button with just "lu_text_ForgotPassResetEmailSent" phrase translation
  6. in "USER.PSWDC" e-mail template html translation replace:
    • "your In-portal account" with "your account"
    • [new] "If you would like to proceed and change the password" with "If you would like to proceed with the change of your old password"
    • "You will receive a second email with your new password shortly." with "Once clicked, you'll be taken to taken to the page where you can set your new password."
    • "Your password will not be changed unless you have clicked on the above link." with "Your password will not be changed unless you successfully change it by following the above link."
  7. on "/themes/advanced/platform/login/forgot_password_reset.tpl" template:
    • use "lu_title_ForgotPasswordStep3" phrase instead of "lu_title_PasswordRequestConfirm" (3 places)
    • use "lu_text_ForgotPassResetChangeForm" phrase instead of "lu_text_PasswordRequestConfirm" form
    • use "lu_fld_NewPassword" instead of "lu_fld_Password" phrase
    • use "lu_fld_VerifyNewPassword" instead of "lu_fld_VerifyPassword" phrase
    • use "lu_btn_SetNewPassword" instead of "lu_btn_Update" phrase
  8. change translation of "lu_text_ForgotPassHasBeenReset" phrase to be "Your password has been successfully changed."
  9. on "/themes/advanced/platform/login/forgot_password_reset_confirm.tpl" template:
    • use "lu_title_ForgotPasswordStep4" phrase instead of "lu_title_ForgotPasswordConfirm" (3 places)

Related Discussions

Related Tasks

INP-1683 - Getting issue details... STATUS