The blog has been updated with suggestions.
I'm using a hotmail account for all my random connections to which I do not connect very often – so I should switch to another tab, connect to my email, wait for e-mail – it can be 10 -30 seconds, change tab to login on their website.
Users with password managers, who can normally log in with one click, must follow the same connection path to their email and obtain the link. A suggestion in the post update was:
simply reverse the order of the password reset tool and the password field of the form.
Password manager users are not affected and other users can see the reset link a little easier.
A very good use case for this is the initial connection which is critical for many sites.
To register, just enter your email and log in directly. Similar to sign up for a newsletter. Then a password reset email is sent to you. You can start with slightly restricted permissions, but it gives you a chance to know if you like the site.
You can also register by entering your e-mail address and password and logging in directly, which eliminates the need to reset your password separately. Then you just have to confirm your e-mail address. The stamp does it very well.
Reset = Login by e-mail
Assuming people reset their password, it's a good thing. It is therefore worthwhile to spend time improving this process.
- We could stop calling it "reset password" and just call it "email login" / "email id" – your password remains unchanged.
- Also use messaging applications like Mandrill, which should speed up the process of sending email.
- Make the password reset email as clear as possible.
The obvious thing is Oauth, but I think that relying more on Facebook and Google to manage our connections is bad for the Web. Regarding confidentiality, it is clear that Facebook and Google know all the sites for which you have accounts. I certainly consider that the privacy of users is a user experience.
Among the mentions mentioned in the update of the blog are the Mozilla Personas, to which they gave up. There is actually a very good open letter that says that Mozilla can help the Web more effectively by bringing in Personas instead of pushing Firefox OS, with this rather nice quote:
Put all your eggs in one basket and stick to Fort Knox.
Personally, I think the best way is to have users use password managers. LastPass is the main one, there is also more recenctly 1Password and I personally use the Keepass + KeepassHTTP browser plugin.