#27192 closed enhancement (maybelater)
Instruct user to change their password when sending new account email
Reported by: | danielbachhuber | Owned by: | |
---|---|---|---|
Milestone: | Priority: | normal | |
Severity: | normal | Version: | |
Component: | Login and Registration | Keywords: | ux-feedback |
Focuses: | docs, multisite | Cc: |
Description
When a multisite user has activated their new account, they're sent an email that includes their new password.
The email also should include instructions on how to reset their password, as passwords sent by email should be treated as compromised passwords.
Attachments (9)
Change History (39)
#4
follow-up:
↓ 5
@
11 years ago
Daniel said
passwords sent by email should be treated as compromised passwords
If this is true, shouldn't we reconsider sending passwords via email altogether?
#5
in reply to:
↑ 4
@
11 years ago
Replying to ericlewis:
Daniel said
passwords sent by email should be treated as compromised passwords
If this is true, shouldn't we reconsider sending passwords via email altogether?
While I agree with the idea, if adding a line of text is 1x effort, creating a UX around setting your password from a link is an order of magnitude beyond that.
#6
@
11 years ago
- Keywords has-patch added; needs-patch removed
in attachment:27192.diff added the line
We recommend updating your temporary password on first log in.
to both emails
and changed the Password label to Temporary Password
Patch made at WordCamp Lancaster 2014 with @updatediva and @ericlewis
#7
@
11 years ago
- Milestone changed from Future Release to 3.9
Looks good, let's consider this for 3.9.
#8
@
11 years ago
- Focuses docs added
The text changes/additions will need feedback from the docs team.
#9
@
11 years ago
attachment:27192.1.diff is a proof of concept in sending the user a set password link rather than the actual password.
In this preliminary implementation, we just send the user to the reset password page. In a follow-up, we can create a separate template in wp-login.php to output proper labeling ("Set password" rather than "Reset password")
Patch made at WordCamp Lancaster 2014 with @updatediva and @salcode
#10
@
11 years ago
While I think:
We recommend updating your temporary password on first log in.
is better - it seems more inconsequential. I'd like to see stronger language or provide some context.
We strongly urge you to change your password upon log in. Passwords sent by email are convenient but email is not secure.
#11
@
11 years ago
I agree with @ericlewis that sending a link to set the password would be best.
But improving the text would be a good first step if we're trying to aim for 3.9. I updated the text to say "Please update your temporary password after logging in." I think that's more direct than the recommendation. I also have a patch that links the user directly to their profile- but I need test it a little more.
Would it be confusing to users directly to their profile edit page? Or should separate instructions for changing the password with the profile edit link be included after the main text?
#12
follow-up:
↓ 13
@
11 years ago
"We recommend updating your temporary password on first log in" could perhaps be phrased a little differently. I understand what this means, but nonetheless read it a couple of times as it appeared a tad awkward, perhaps (this is coming form someone who appears to have an uncanny ability to create these kinds of awkward sentences). So, I concur with @downstairsdev.
Since it's being sent to new users created on a multisite install, one might be able to suggest that there is a possibility of unfamiliarity with the process, or indeed with WordPress as a whole.
How about something something a little easier to parse?
"Please update this temporary password when you first log in to WordPress.. "
or" Please change this temporary password when you log in for the first time"
So, couple of things going on there: change is a clearer, less jargon-y call to action than update, imho, and secondly "first log in" versus " log in for the first time".
Thoughts?
(edited for clarify to reflect the fact that I started writing this last night, before @downstairdev's comments)
#13
in reply to:
↑ 12
;
follow-up:
↓ 15
@
11 years ago
Replying to Hanni:
"Please change this temporary password when you log in for the first time"
This one is my favorite so far. I think because it is multisite, having "WordPress" in the message may confuse somebody without proper context.
I do like the idea of providing some sort of link in addition to the message. The edit profile page could be the best bet.
#14
@
11 years ago
@downstairdev - We discussed sending the user directly to their profile edit page but decided against it based on how far down the page the password fields are. However, as I write this I realize we could append #password to the URL to jump to that section of the page, so that would work.
However, are users going to continually come back to this email to log in? and therefore end up at their password section of their profile each time they log in.
Ultimately, I think the solution by @ericlewis is the best route to go and a text change (not a url change) will suffice as a bandaid. To that end I agree with @jeremyfelt and @Hanni on
"Please change this temporary password when you log in for the first time"
#15
in reply to:
↑ 13
@
11 years ago
Replying to jeremyfelt:
Replying to Hanni:
"Please change this temporary password when you log in for the first time"
This one is my favorite so far. I think because it is multisite, having "WordPress" in the message may confuse somebody without proper context.
You're absolutely right; I hadn't considered that.
Creating patch.
#16
@
11 years ago
So, whilst double-checking the above, I reconsidered the repetitive when you log in, log in.. etc in such small paragraph, so offered the alternative of when logging in. Hence, patch3 offers "when you log in" and patch4 offers "when logging in", so that others can weigh in if they deem this niggle something worth changing.
And I have also noticed an inconsistency in the tenses used in welcome_email and welcome_user_email which I think is unnecessary and should be standardised, both for the sake of readability and ease of translation. Looking.
#17
@
11 years ago
Note that 5 uses "when logging in" as opposed to "when you log in". I can see arguments for either; the former removes receptive "you"s, but the perhaps impresses the importance of the change on the user a little more.
@jeremyfelt and @salcode: preferences?
#18
@
11 years ago
My preference is "Please change this temporary password when logging in for the first time."
27192.5.diff has one small typo in the following phrase:
Your new account has been sucessfully set up: (s/sucessfully/successfully)
Other than that, looks good! :)
@
11 years ago
Successfully spelling successfully successfully. Second attempt at being successful has resulted in success.
#19
follow-up:
↓ 20
@
11 years ago
Successful changes look good. I like the change to "when logging in".
27192.7.diff also adds the new language to the email sent with wp_new_user_notification()
when adding users through the network admin.
#20
in reply to:
↑ 19
@
11 years ago
Replying to jeremyfelt:
Successful changes look good. I like the change to "when logging in".
27192.7.diff also adds the new language to the email sent with
wp_new_user_notification()
when adding users through the network admin.
Great!
@
11 years ago
In which I was so eager to successfully achieve consistency that I unsuccessfully introduced a decidedly unnecessary colon.
This ticket was mentioned in IRC in #wordpress-dev by DrewAPicture. View the logs.
11 years ago
#23
follow-up:
↓ 24
@
11 years ago
If 27192.1.diff does indeed seem a better approach that sidestepping a flaw with text changes, "You can log in to the administrator account with the following information: " would need to be adjusted, depending on the implementation.
#24
in reply to:
↑ 23
@
11 years ago
+1 to 27192.8.diff
The original intent of the ticket was to provide instructions on how a user can reset their password when logging in the first time - basic text changes.
Being this close to beta, I think it might be better to make the text improvements for 3.9, then revisit the solution proposed in 27192.1.diff early in the 4.0 dev cycle.
This ticket was mentioned in IRC in #wordpress-dev by jorbin. View the logs.
11 years ago
#26
@
11 years ago
- Component changed from Text Changes to Login and Registration
- Keywords has-patch commit removed
- Milestone changed from 3.9 to Future Release
Per the lengthy IRC conversation, we're going to skip this entirely for 3.9. The incremental improvements here don't help much, as the proposed patches:
- only apply to multisite (emails are sent in plain text for new user registrations in single-site too)
- only apply for the fallback email template (these are editable in multisite)
- don't do anything in the dashboard to nag the user
In the end, the impact is thus very minimal and it doesn't clearly improve the user experience. I'd like this to be tackled in 4.0, probably with #24633. It'll probably require a group of contributors to storyboard out exactly how all of this should work in an ideal situation, and then we can go about coding it.
#27
@
11 years ago
Emailing passwords (regardless of multisite or not) are a BAD idea. +1 to completely revamping how this whole process works.
+1
While these emails can be easily changed, I think better encouragement makes sense in the defaults.
The default
welcome_email
option is:The default
welcome_user_email
site option is:Related password nag discussion for initial WordPress install password in #9710