Announcement

Collapse
No announcement yet.

Customer Account 'lost passwords' that do not exist

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    Customer Account 'lost passwords' that do not exist

    I am having an occasional problem with customers who cannot find their password for retrieving their account. My expectation is that they do not have an account, as they can order as guests without setting up an account. Thus they think they have an account because they are a returning customer. Do not want to change this. But customers do receive an option to retrieve their lost password. However, as they do not have a password they do not receive a response. The correct response, it seems to me, would be to tell the customer, when he requests a lost password, that a customer account does not exist for that name or email. Then they are not waiting for a password email that never comes, and they can register to set up an account.

    Bob MacLachlan
    iHobb.com

    Tags: None
    #2
    The reason we don't that anymore (we used to) is that is a security issue as it allows hackers to programmatically run scripts on a site to figure out which email's have accounts and which do not, which is a valuable part of being able to successfully pull off a brute force account access hack.

    The best thing to do instead is just put some text that says if you have an account we'll send you a reset link, if not nothing will happen, or something to that effect.
    Thanks,

    Rick Wilson
    CEO
    Miva, Inc.
    [email protected]
    https://www.miva.com

    Comment

      #3
      I replaced the error message that starts with this text, "Instructions to reset your password have been sent to the email address on file with your account." with the following:

      For security reasons, we don't display whether an account exists for the email address you provided. If you do have an account, within two minutes you will receive an email with instructions for resetting your password. If you do not receive an email, you may assume that you do not have an account. Please create a new one.
      After updating that message, the number of inquiries I get about accounts and password resets dropped off to almost zero.
      Todd Gibson
      Oliver + S | Sewing Patterns for Kids and the Whole Family

      Comment

      Previous template Next
      Working...
      X