I can't count how many times I've received email from a thoughtless web service
that I take some action on their site ("Bloggy McBloggerson has just added
you! Add them back!"). I click it, only to be faced with the following:
However, if I click that "Forgot your password" link, it sends me a link
where I can set a new password (and then log in with it)... to EXACTLY THE
SAME email address that just received the link-rich notification mail.
got this one right years ago, and
they get kudos for being the only one I know of, still. (Their notification
emails even point this out: "Click here to login instantly!")
Dear Interweb: Why are you needlessly making me take extra steps to use your
service? On mobile devices (where people generally check a lot of email and
receive a lot of notifications) this is especially onerous, as I:
If you have a "forgot password"
feature that sends password reset links via email, then you should be
putting auto-login tokens in every single link URL you send to your
users via email.
- ...usually don't have my session cookie from my Real Computer so I'm
forced to login again (even if I was just using your site after logging
in five minutes ago at my desk)
- ...find typing passwords unnecessarily to be a huge pain in the ass
on a little tiny keyboard
- ...don't always have my passwords with me (e.g. if I use a password
manager on my Real Computer to store unique per-site passwords).
(For added security, make them expire after 72 hours or something, so access
to old email archives doesn't equate directly to a valid login session.)