WordPress.org

Make WordPress Core

Opened 6 years ago

Last modified 5 months ago

#34236 new defect (bug)

Better passwords - differences between setting and resetting password?

Reported by: pavelevap Owned by:
Milestone: Priority: normal
Severity: normal Version: 4.3
Component: Login and Registration Keywords:
Focuses: Cc:

Description

1) When user registers on a site, there is notification email "Your username and password info" which contains 2 URL addresses:

<http://localhost/wp-login.php?action=rp&key=iJy9s6jdmcpNwM27iyWc&login=test>

http://localhost/wp-login.php

Why is there the second URL? Nothing can be done here, only antispam filters can ban this email...

2) When user clicks the first link, new password can be set: "Enter your new password below." But why has button text "Reset Password"? User is not resetting password, but only setting first (new) password. And after submitting, there is text "Your password has been reset."

3) Site admin receives 2 notification emails (for one registration):

  • "New User Registration": New user registration on your site... (same in pre 4.3)
  • "Password Lost/Changed": Password Lost and Changed for user...

So, every site admin receive another notification email with not relevant info, because password was not lost and changed, but created for the first time. For sites with many users, it is surprising and not needed... When user changes its password on Profile page, site admin also does not receive any notification. As I understand it, there is no difference when user set first password or reset lost password? It can be confusing for some users...

4) When site admin adds a new user, custom password can be set. But newly added user does not know about it? User received only standard "Your username and password" email with link to creation of new password: To set your password, visit the following address...

I am not sure, if I understand workflow completely, but it seems to me a little bit confusing...

Change History (3)

#1 @obenland
6 years ago

  • Component changed from General to Administration
  • Version changed from trunk to 4.3

This ticket was mentioned in Slack in #core by peterwilsoncc. View the logs.


5 months ago

#3 @peterwilsoncc
5 months ago

  • Component changed from Administration to Login and Registration

This ticket was discussed in a triage session today.

I'm sorry it's taken so long for someone to reply, I've gone through the registration process and can confirm the items you raise still apply.

I agree, removing the second link to the login URL makes sense for the set your password email.

For the second item (sending a password reset email during registration), I think that would need a little further discussion.

I've moved this on to the login and registration component.

Note: See TracTickets for help on using tickets.