Single Vote View

(Created on 9th April 2017)

Vote #505

The following question was presented:

Alright, this week's vote question has happened to all of you and you've asked this question each time it has happened. So here's the scenario. You need to logon to a service that you've not used for a long time. You rotate through the most recent passwords you've used and none of them are working. It's time to admit that you've forgotten which password you used .... was this the one that required 12 characters with numbers and a special character .... or is the one that required you to stand on one leg and whistle Dixie while setting it .... nope, can't remember. So you click on the “forgot password” button. You are informed that a password reset email has been send to the email address on file. You log into your email, find the email, follow the instructions and successfully reset your password. The world is a happy place. But then a subsequent email arrives that claims to be a security email letting you know that someone has just reset your password and if it wasn't you then you need to take action. Of course I've just reset my password. You just sent a fucking email to my email account telling me to reset it. If I'd hacked the email account, why are you sending me a security email to the email account? I'd just delete it. What is the purpose of the security email telling you that someone's reset your password after you've just got an email to reset your password with a reset link?

Results:

Because a consultant told them to set it up was the clear winner with 50% of the votes selected from the following:

Security (17%)
Because a consultant told them to set it up (50%)
Because they didn't think it through (17%)
I don't know (0%)
Does it really matter? (0%)
Why does this make me angry? (17%)

Graphic of Results:

Pre-Result Discussion

Mr O
03:48:05
10th April 2017

Say you hadn't asked for a password reset and in fact someone had hacked your account and reset the password, you'd want the email then. You've got two separate business flows that just so happen to be triggered one after the other. You could add a parameter to prevent the second email but how long between going through a forgot password process do you want to suppress the "your password has changed" email before it is valid to send it out.

You could say it's lazy coding or just poor requirements. Or you could just get a life and ignore the second email.

Rag
21:23:18
16th April 2017

The point is this is when a valid password reset has been requested and the first email has been sent. It's not difficult to tell if the password reset was generated as a result of the forgot password as opposed to doing it in-app. I can tell whether a vote is processed from an email or directly on the vote webpage. Don't tell me my website is more sophisticated than most company systems :)

Analysis:

Indeed, it's most likely that this was implemented by a consultant. Mr O seems to be taking this question way too seriously. I'm guessing he's implemented such a workflow (or at least been part of the testing).