Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-3484

Password reset messages are misleading and not conditional (UX issues)

    XMLWordPrintable

Details

    Description

      The message shown to users who request a new password is both non-conditional (it does not validate and report whether-or-not the username entered actually exists) and can be inaccurate (it can report that a password reset email will be sent when that is not true). The message that is shown is ALWAYS the following:

      "An email is on it's way! It contains a unique random URL. Click the link in the email message or copy it to your browser address bar. The link leads to a page where you can choose your new password."

      Steps to reproduce:

      1) Access Crowd console
      2) Click the "Can't access your account" button
      3) Choose either option
      4) Enter a non-existing username/e-mail, or even leave the username field totally blank.

      Note that the first issue (message is non-conditional) has been raised in another issue report - https://jira.atlassian.com/browse/CWD-2457 and has been closed with the following explanation from Atlassian:

      "This is by design, in order to prevent using this page for checking whether the user exists in the database."

      We don't want this issue to duplicate that (closed) one, but are curious why this is the case when other Atlassian products do not follow this same design rule. For example, the Confluence forgot password interface (which may even be using Crowd as a directory) does explicitly inform the user if the submitted username was not found. Can someone clarify why this is?

      Even if that message will remain non-conditional, there still seems to be a notable UX issue remaining here. The message that is displayed can be very misleading as it always informs users that an email was sent even though this is not always true. If there are no plans to make the message conditional, it would certainly make sense to at least change the wording of the generic message. Perhaps something like the following would be more appropriate:

      "Thank you. If we find an account matching the username you have entered you will receive an email with further instructions and a reset password link. The link will lead to a page where you can choose your new password."

      Attachments

        Issue Links

          is related to

          Suggestion - JRASERVER-44685 Password reset messages are misleading

          • Gathering Interest
          relates to

          Bug - A problem which impairs or prevents the functions of the product. CWD-2457 "Forgot Password/Username" form doesn't validate the inputed variable

          • Low - Low priority issues
          • Closed

          Activity

            People

              ckrieger Caspar Krieger (Inactive)
              79c8f65c8f30 Ryan Jacobs
              Votes:
              2 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: