Ability to retrieve forgotten usernames
Closed, ResolvedPublic

Description

Author: artificial

Description:
On the Special:Userlogin page, "E-mail new password" requires people to remember the username first. It would be a nice enhancement if there was an "E-mail username" link, taking you to a different screen to enter your email address, which would then send a list of the username(s) connected with that email address. Is that possible? Might cut down on the number of unused accounts that get created by forgetful people.

There is a privacy issue I can think of: the page after you click the final button "Retrieve username" should display the same message whether there was actually any name associated with that e-mail or not. Something like: "Thank you. If you registered an account using this e-mail address, it will be sent to you." Otherwise it would be possible to find out if someone had registered if you knew the email address they commonly used.

I guess it would involve a couple of boring bits of programming (new HTML form, localization), but also a fun bit (the database query to get the usernames). (Or is it just me who thinks that? Always liked databases. ^_^)


Version: unspecified
Severity: enhancement

bzimport added a subscriber: Unknown Object (MLST).
bzimport set Reference to bz13015.
bzimport created this task.Via LegacyFeb 14 2008, 1:41 AM
bzimport added a comment.Via ConduitFeb 14 2008, 1:47 AM

ayg wrote:

This is a good idea . . . why don't we have this already? Of course, there could be multiple usernames associated with the e-mail address, but we can just send all the relevant usernames in that case. (The database query isn't so interesting: SELECT user_name FROM user WHERE user_email='bob@hotmail.com';)

This will need a key on user_email.

bzimport added a comment.Via ConduitFeb 14 2008, 2:26 AM

artificial wrote:

Is a key needed for performance reasons, or will some database engines not allow the text query otherwise? With MySQL at least, the tinytext field for user_email seems to allow the query anyway.

bzimport added a comment.Via ConduitFeb 14 2008, 2:28 AM

achuggard wrote:

I also think this would be a really cool idea. In implementing username retrieval, we would need the ability to (partially) disable it as well. (This may be obvious to everyone, but I figured writing it down to make sure it's considered would be a good thing) Corporate Installations that are using External Authentication plugins and websites using Mediawiki as a sort of private CMS are 2 common cases that would likely not want this functionality.

bzimport added a comment.Via ConduitFeb 14 2008, 2:30 AM

t.laqua wrote:

I don't feel utilization will be high enough to justify any schema changes.

Should it email just the username? Or username and new randomly generated password?

bzimport added a comment.Via ConduitFeb 14 2008, 2:33 AM

ayg wrote:

(In reply to comment #2)

Is a key needed for performance reasons, or will some database engines not
allow the text query otherwise?

A key is needed for performance reasons.

(In reply to comment #4)

I don't feel utilization will be high enough to justify any schema changes.

A table scan of millions of rows is not acceptable at *any* usage rate, period. If this is going to be added, it has to be with an index.

Should it email just the username? Or username and new randomly generated
password?

Just username is okay, but username and password reset links would be better. Note that we don't ever immediately reset the password, we send a reset link.

DanielFriesen added a comment.Via ConduitFeb 14 2008, 5:10 AM

(In reply to comment #5)

Just username is okay, but username and password reset links would be better.
Note that we don't ever immediately reset the password, we send a reset link.

Well, perhaps, though if you think about strait logic.

For forgot password we give the form a username, it finds the e-mail, and sends a random password.

So for forgot username we give the form a e-mail, it finds the username(s), and sends a username.

Kind-of a map of one input, find one associated type, send information requested.

However, there is another thing to think of.

Say, I add my address eg: dantman@example.com to my account, and I put the password "foo" on them. I know my password is foo, and I know my e-mail is "dantman@example.com", however, I do not know my Username. So I ask for my username... I'm not asking for a password, and I don't expect the e-mail to return a temporary password. If I need a new password, I expect to request that myself.

So, perhaps we should keep with returning one requested thing for the input.

bzimport added a comment.Via ConduitFeb 14 2008, 9:59 PM

ayg wrote:

(In reply to comment #6)

Say, I add my address eg: dantman@example.com to my account, and I put the
password "foo" on them. I know my password is foo, and I know my e-mail is
"dantman@example.com", however, I do not know my Username. So I ask for my
username... I'm not asking for a password, and I don't expect the e-mail to
return a temporary password. If I need a new password, I expect to request that
myself.

So, perhaps we should keep with returning one requested thing for the input.

Yes, I see your logic. You may have a point. What does other software usually do?

bzimport added a comment.Via ConduitFeb 14 2008, 10:35 PM

artificial wrote:

YouTube, for one, just sends out a list of user names. But I really think that people who have forgotten their username are likely to have forgotten the password as well. Sending out both sounds more user-friendly. Sometimes the emails take a while to come through, etc., so waiting twice would be annoying.

bzimport added a comment.Via ConduitFeb 14 2008, 10:44 PM

ayg wrote:

Some wording like this would be good (with some more context, e.g., what the site is, who sent it, unsubscribe info, . . .):

Your username is [username]. Additionally, if you have also forgotten your password and would like to reset it now, you can go to this link to do so: [link] If you do not wish to reset your password, do not visit the link, and it will expire in one day.


You have N usernames: [1], [2], .... If you have also forgotten the passwords to one or more of your accounts and would like to reset them now, you can go to the appropriate link(s) below to do so:

[1]: [link for 1]
[2]: [link for 2]
...

The links will all expire in one day.

bzimport added a comment.Via ConduitFeb 15 2008, 2:11 PM

t.laqua wrote:

For the form where the email address is entered, should it use a new QuickTemplate class like the UserloginTemplate() and UsercreateTemplate() classes?

Or it doesn't matter? I can see arguments either way - this form will only be called from SpecialUserlogin, and all the other forms for that class are QuickTemplate classes.

I'm partial to not making another QuickTemplate template as it's an incredibly simple form.

bzimport added a comment.Via ConduitFeb 19 2008, 12:57 AM

ayg wrote:

It sounds like more of a code style issue than anything. Do whatever you think is best.

bzimport added a comment.Via ConduitApr 20 2011, 3:28 PM

happy.melon.wiki wrote:

Fixed in r86482.

Add Comment