Skip to content

confusing password reset UI

@rsc In this issue I try to describe my observations and design goals for an improved sign-up-ui experience. It might be useful to cut the story in smaller tasks. Please feel free to do so.

Goals:

A user who forgot their password should be able to request a password reset by entering their email in a password reset dialogue. The password reset request should reflect the selected authentication method (e.g. BASIC or LDAP).

Bildschirmfoto_vom_2024-01-12_09-50-55

I can choose the authentication method from the drop down. When I klick on forgot password, then the reset password process is assigned to that method (BASIC or LDAP for now, as configured in dmx.signup.restrict_auth_methods).

Observation: At the very moment PW reset only and always resets the LDAP password.

The next picture shows the screen after klicking on forgot password:

Bildschirmfoto_vom_2024-01-12_09-52-27

The wording here is very confusing, since the user clicked on forgot password and not on create or activate account or likewise. I.m.o. we should change the text:

Request link to reset your password. Please enter your email address. We'll immediately send you the required data.

The next screen shows a success message with the validation time. Thee validation time must reflect the settings from dmx.signup.token_expiration_time (or the default). For security reasons it is often common practice that the success message is shown, no matter if the email address is valid or not. But for a better UX one would argue to inform the user, if the mail was actually sent out or not. I.m.o. This needs to be discussed.

Bildschirmfoto_vom_2024-01-12_09-53-15

The following screen shows the received email: Bildschirmfoto_vom_2024-01-12_09-55-12

The subject should be changed to just Set password.
The body should include an information about the duration of the validity of the token, e.g.: Please click the following link within the next 2h to set a password for your account.

When clicking on the link within the time limit, one sees the next screen:
Bildschirmfoto_vom_2024-01-12_09-57-29

Observations:

  1. The screen does not show the username, but it should.
  2. On the screen I can choose the auth method again. But I should be preset from my former selection, when starting the process.

Bildschirmfoto_vom_2024-01-12_09-58-08

The password length and complexity should be a config parameter (sign-up). It should define a minimum length and default to 8 if unset. A second config parameter should define the complexity. If set to true, each password must include at least 1 capital letter, 1 small letter and one special character. Password can always include any number. Depending on the configuration the password reset dialog should show these requirements to user.

The next screen shows the message after entering a vaild new password twice: Bildschirmfoto_vom_2024-01-12_09-59-01

Now here the red message is totally confusing. Also the protocol and tests show that the LDAP password was in fact changed successfully.

@jri FYI

Edited by Juergen Neumann