When writing [security] Forgot password for Administrators [5.3.0-B1] I've also reviewed how current "Forgot Password" system works on Front-End. Honestly I was quite shocked by how the misleading password reset instructions are.
Current password reset workflow looks like this:
| User Action | Screenshot | Problem |
|---|
user clicks on the "Forgot password?" link at the bottom of login sidebox | | Link font is quite small, but that's not misleading really. |
| user sees the first forgot password wizard step | | - The message says, that user account information will be sent to e-mail that he mentioned in his account. This is not correct, because In-Portal won't ever send user account information over e-mail.
- The button says "Recover Password". This is not correct, because In-Portal doesn't help user to recover his existing password. Instead one time password change link is e-mail to the user.
- The page title says "Forgot Password". This is correct, but misleading as well, because it doesn't tell to the user, that:
- this is forgot password wizard
- wizard consists of 3 steps and this is 1st step
Following navigation bar would be in order: "Home > Forgot Password? > Step 1 of 3". |
once user enters his username/e-mail and presses "Recover Password" button (or presses ENTER): - the confirmation screen is shown
- the e-mail is sent out to the user
| | - The message says, that user will receive new password if he/she follows the link in e-mail that was sent. This is not correct, because once link in e-mail is clicked user will be forwarded to password change form, where he/she can enter new password.
- The text after the link says, that user will receive the second e-mail containing his/her new password. This is not correct, because:
- no second e-mail will be sent
- user will be able to enter his new password right on the page that is opened by provided link.
- The last sentence says, that your password will be changed once above link is clicked. This is not correct because password only will be changed if on page (from the link) user will choose to save his new password.
Following navigation bar would be in order: "Home > Forgot Password? > Step 2 of 3".
|
| once user clicked on a link, then he sees password change form | | - The page title says "Password Request Confirmation". This is incorrect because nobody confirms, that he/she is requested password on this page.
- Text above password fields says, that user needs to confirm, that he/she wants to reset a password. This is incorrect, because we're on form, where new password should be entered. There is no need to confirm anything at this point.
- The password field labels are the same as on "My Profile" page ("Password" and "Verify Password"). This is incorrect, because this isn't user existing password, but the new password and confirmation of his/her new password.
- The button below the form says "Update". This too general title for form, that is only designed for new password entry.
- User isn't logged-in, when using this form, which is strange, because password reset link must auto-login user and then allow him/her to change password.
Following navigation bar would be in order: "Home > Forgot Password? > Step 3 of 3". |
| once user presses "Update" button he'll sees confirmation window | | - The page title says: "Forgot Password Confirmation". This is incorrect because we're not confirming, that we've forgotten the password, but instead confirming that password was updated successfully.
- The text says: "Your password has been reset. The new password has been sent to your e-mail address. You may now login with the new password.". This is incorrect because:
- password was updated instead of reset
- password wasn't sent to email
- user is logged-in automatically
|
Solution
Completely change used texts to avoid confusion.
