LOVEFILM forgotten password antipattern
Here's what happens:
- LOVEFILM immediately changes the user's password
- LOVEFILM emails the user with a new, random password and asks them to log in with that new password.
If you're the poor sap at the receiving end of this prank, you have to:
- Log in with your new password
- Go to your account and change your password
They've got this whole "forgotten password" pattern all wrong.
Here's how it should work:
LOVEFILM should send you a temporary password (e.g. valid for an hour) that you can log in with but it shouldn't disable/change your current password. That way, if someone else requested the change (either by mistake or to annoy you), you can simply ignore the email.
The way it's implemented today, LOVEFILM actually allows a random stranger to make a change to your account (change your password) and causes you to take steps to remedy that action.
If someone wanted to really piss you off, they could reset your password daily.
I only stumbled upon this because I thought I had forgotten my password and requested a new one. Then, before the email arrived, I remembered my password. But it was too late. LOVEFILM had changed my password the moment I'd entered my email address in (and so I had to wait for the email to arrive before I could login to my account).
Of course, they could also side-step all this and implement support for OpenID. That would really rock!
The LOVEFILM forgotten password antipattern article by Aral Balkan, unless otherwise expressly stated, is licensed under a Creative Commons Attribution-Noncommercial 2.0 UK: England License.
Anonymous prick
So…. what’s your email address?
March 22nd, 2008 at 10:02 pmAral
LOL
March 22nd, 2008 at 10:13 pmjankees
That is pretty stupid indeed, I don’t understand why openID is so rarly used…
But Aral, weren’t you a Flashprogrammer? You only write about other stuff
(not that it is not interesting but I’d love some more swx…)
March 22nd, 2008 at 10:59 pmJames Urquhart
Reminds me of very similar functionality in the popular web based Project Management solution, ProjectPier. If you just so happen to know the email address of any user in the system, you can quite simply reset their password via the “Forgot Password” screen.
Absolutely ridiculous, imo.
March 22nd, 2008 at 11:35 pmJon
At least you know that they are encrypting your password.
Too many websites store passwords in clear text and simple email you your existing password if you hit the “forgot password” button.
March 25th, 2008 at 1:25 ammad_dog
Hi,
Actually this mechanism for password resets (sending a reset to your registered email address) is fairly common on the web. Some sites are even silly enough to send the existing password in the clear, rather than a random reset.
I guess that I could sign up for tons of spam using your email address but would you complain that there was a flaw in such a system? If I know your email address and want to cause hassles for you, there are more inventive ways of annoying you than resetting your lovefilm ID.
Much more important is how personal details are protected! I’d worry more about that than a password reset. As a means of DOS attack, it would be pretty lame and easily spotted.
March 27th, 2008 at 10:18 amSimon
Whats even more annoying is there doesn’t currently seem to be a way to change your password once it has been reset.
This has had me looking on the website for quite a while. Its in none of the obviously places.
July 14th, 2008 at 7:58 pm