If You Develop Web Apps, Don't Do This.

I can't count how many times I've received email from a thoughtless web service suggesting that I take some action on their site ("Bloggy McBloggerson has just added you! Add them back!"). I click it, only to be faced with the following: foursquare login However, if I click that "Forgot your password" link, it sends me a link where I can set a new password (and then log in with it)... to EXACTLY THE SAME email address that just received the link-rich notification mail. OKCupid got this one right years ago, and they get kudos for being the only one I know of, still. (Their notification emails even point this out: "Click here to login instantly!") Dear Interweb: Why are you needlessly making me take extra steps to use your service? On mobile devices (where people generally check a lot of email and receive a lot of notifications) this is especially onerous, as I:
  • ...usually don't have my session cookie from my Real Computer so I'm forced to login again (even if I was just using your site after logging in five minutes ago at my desk)
  • ...find typing passwords unnecessarily to be a huge pain in the ass on a little tiny keyboard
  • ...don't always have my passwords with me (e.g. if I use a password manager on my Real Computer to store unique per-site passwords).
If you have a "forgot password" feature that sends password reset links via email, then you should be putting auto-login tokens in every single link URL you send to your users via email. (For added security, make them expire after 72 hours or something, so access to old email archives doesn't equate directly to a valid login session.)