swombat.com

daily articles for founders

How to do "forgotten password" pages  

A good analysis by Jon Duhig of a very common problem when designing web apps. The article goes through a number of common solutions to users forgetting their password (there are even more out there if you look), and arrives at a suggested ideal solution:

The best approach is to use a user-provided user experience that can prevent forgotten passwords in the first place; a password hint:

This provides an error-preventing, user-friendly approach to reduce the need for the password reseting loop. There is of course just one huge flaw; it passes the responsibility for security to the user, who is free to write completely un-secure hints like "Your wife's name followed by her birthday" or even the password itself (surely that might happen, if I know users?).

Ultimately, the solution you pick of course depends on the specifics of your app. A bank's password reset policy will rightly be a lot more involved and formal than the reset process on Reddit. The factors to keep in mind are:

  • How likely it is that the user will leave forever if your password reset process is too complicated;
  • How technically skilled your users are;
  • How valuable access to the user account is; what harm can be done by unauthorised access;
  • How high-profile your site is;
  • How much time/budget you have to devote to this non-feature.
More from the library:
Startup risks
Ultimate guide to dropshipping
More about finding cofounders
Google Analytics Alternative