1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Lack of Interest Ability to recover account/password without email

Discussion in 'Closed Suggestions' started by Biker, Apr 18, 2013.

  1. Biker

    Biker Well-Known Member

    There are times when a forum member is gone for a long time, and during this absence may change email providers. This makes recovering their account without Admin assistance virtually impossible if they've forgotten their password.

    It would be a nice feature to allow users to be able to recover their accounts directly from the site without having to worry about the password change request going to their old email address that they no longer have access to.
    Alfa1 likes this.
  2. Mike

    Mike XenForo Developer Staff Member

    Do you have any suggestions of what could be used to identify the person as the account owner other than the email address or password?
    Softlineck likes this.
  3. Biker

    Biker Well-Known Member

    I've seen some sites use a series of secret questions that can be answered by the individual. The answers are provided by the user when they sign up for their initial account.
    Softlineck likes this.
  4. Mike

    Mike XenForo Developer Staff Member

    I think you could do this with custom fields if you want (required, editable only once, not displayed publicly), albeit manually.

    A lot of high profile account compromises happen because of weak security questions and answers that allow this sort of account resets so I'm hesitant to use it.
  5. Teapot

    Teapot Well-Known Member

    I agree with Mike: Forcing users to create secret questions adds a lot more complexity (and thought requirements) at registration for potentially a large security threat. It'd be nice to have a non-email based password reset function, but I don't think secret questions are the way to go. Sorry. :)
  6. Andy.N

    Andy.N Well-Known Member

  7. Biker

    Biker Well-Known Member

    Doesn't have to be secret questions. But an alternative means of being able to recover your account without relying on email would be a nice feature. Especially since the software doesn't currently have a way of merging accounts. Users create a second account, post on it, and now they have two accounts with posts
  8. Tracy Perry

    Tracy Perry Well-Known Member

    How about the ability to put in an optional second recovery email account. I know I keep several hotmail accounts that I use just for emergency password recovery.

    Scratch that as I see it has been mentioned - and I second the idea of a secondary recovery email account.
  9. Biker

    Biker Well-Known Member

    Many of my "older" members have enough issues with one email account. Trying to maintain two isn't something I'd be comfortable in suggesting. The entire purpose of the suggestion is to get away from relying on email to reset a password.
  10. Luxus

    Luxus Well-Known Member

    What if they did forget the answers to the questions as well?
  11. Tracy Perry

    Tracy Perry Well-Known Member

    Hehehe.. Older... hehehehe. I'm almost 50, so I meet that classification. ;)
    That's why it would be an option. Security questions are not the best way to handle it as it is an inherent weakness there. If they have an Android phone, then they will usually already have a second email account (if they are using their ISP provider as their primary emails - or their employer).
    Softlineck likes this.
  12. vijaichander

    vijaichander Active Member

    What about people forgetting the website itself?:D
  13. whynot

    whynot Well-Known Member

    Very much a possibility.(Believe it or not)
  14. Ingenious

    Ingenious Well-Known Member

    Biker's right, some of a communities older or "gone away for a long time" members do forget passwords then find their email is long out of date. We just deal with these manually (either spotting duplicate accounts and offering to merge them, though we can't actually merge at present since moving from vB to XF I should say!) or manually updating an email if the member contacts us, so they can reset their own password.

    We also pro-actively try to reduce these cases by acting on bounced emails immediately by putting that account in confirmation required status, so as soon as a member's email is out of date and we know about it, we force them to update.

    Not sure what the solution is. SMS texts would be one idea, but then if someone goes away for a few years their phone might be out of date too (and resets would cost money per text here in the UK). Additional emails could also go out of date. I struggle to remember secret questions and answers - since I try and avoid mother's maiden name type things.
  15. sonnb

    sonnb Well-Known Member

    Do not trust Security questions. They are all sucks and easy to defeat (because they are all common questions that could be guessable) and trust me, your members would forget them before they forget the password.
  16. Joe Link

    Joe Link Well-Known Member

    Anyone come up with a good solution to this?

    Would it be a security issue to have a secret question on registration we could manually ask them if they contacted us and said they forgot their password? It would be no different than entering the password itself, so I can't see how it'd be less secure.
  17. Alfa1

    Alfa1 Well-Known Member

    Facebook, Google, Yahoo or VK authentication.
  18. Joe Link

    Joe Link Well-Known Member

    Can you please elaborate?
  19. Alfa1

    Alfa1 Well-Known Member

  20. Alfa1

    Alfa1 Well-Known Member

    @Brogan I'd like to suggest the following, but I am not sure if I should open a new suggestion or if my suggestion will be considered as part of in the current suggestion if I post it here? My suggestion is related but is much wider than the suggestion in this thread.

    Account access Fall back with social networks
    Just like gmail and other services ask their member to add a second contact address, XenForo should ask members to connect their account to social media accounts in case they loose their password & email. XenForo now supports facebook, google and twitter login, so this should be a small step.

    Over time communities loose a very large number of members due to lack of access and lack of contact. Once members no longer have access to their accounts and no longer are able to receive community email, they are lost members. On my site this means many tens of thousands of accounts. Its a great loss. It would be such a valuable function if we would be able to give those lost members access to their account or even be able send them a short message with access instructions.

Share This Page