Large Sites

When managing a large user community, it can be a good idea to provide an automated password recovery or password change process in case the user forgets their password.

Some Systems Make More Assumptions Than Others

For example, some systems watch you try to log in with a certain user ID (which is not necessarily the user’s email address), then, if you’re unsuccessful, they offer to email (in clear text – ARGH!) your password to your email address on record. Author Helen’s user ID on a private Microsoft partner site was “Helen”; since she was one of the first to register it allowed her the user ID of her first name. From a time shortly after that, until the time that the system was decommissioned, she’d periodically get notes from Microsoft telling her what her password was – and awkwardly splattering a favorite password convention across the net and all over disks, in clear text. These weren’t being generated automatically – rather, other users who THOUGHT their user ID on the system was “Helen”, were clicking the site’s “I can’t login -- remind me of my password” link, and the system was dutifully looking up “Helen’s” email address and sending that “helpful” email to the owner of the “Helen” user ID, me. (If you implement a password recovery system, please don’t email the existing password in clear text. Ideally send the user to a link that lets them set a new password; second best is to email them a new password. You just don’t know the true sensitivity of the information you’re giving out, when you email someone’s password in cleartext.)