1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Emails from members who can't log in

Discussion in 'Forum Management' started by melbo, Feb 6, 2016.

  1. melbo

    melbo Well-Known Member

    Seems like this happens monthly: member emails me with a brief statement 'like can't get in. help' or 'my password isn't working. won't let me in. i quit'. I used to manually reset their pass and email it to them with instructions on how to change it once they successfully logged in. I now realize that this isn't a good way of handling this as it could be someone attempting to access a user's account through a socially engineered vulnerability (me, the helpful admin).

    Been thinking about how to best handle this next time.
    Instruct them to perform a password reset and ignore further pleas for help?
    Ask them to describe something about themselves (other than location or email address)?

    Made me think that it might be a good idea to incorporate some required security questions at registration. These questions would be hidden but viewable by an admin and could be used as a challenge when someone reaches out for manual help.

    Anyone experience this or have other ways of dealing with the situation?
  2. Chris D

    Chris D XenForo Developer Staff Member

    Yes, basically. Why wouldn't they be able to do this?

    Secret questions and answers are somewhat archaic. I'm not even sure people tend to use them anymore. Ultimately if they forget their password, they can forget their secret answer and then you're back to square one anyway. Also the secret questions and answers tend to be pretty weak. "What school did you first attend?" At least if someone ever forgot that they could just look it up on their public Facebook profile ... ;) If just seems flawed to me.

    There are of course extenuating circumstances but they should be considered last.
    melbo likes this.
  3. Mouth

    Mouth Well-Known Member

    This. I have a canned response that I send back giving the password reset URL, and checking their spam folder if the email doesn't arrive in 5 mins or so. I further advise that if they still have difficulty (eg. they no longer have access to the email address on their account) to respond back with some details listed on their account (when did they last logon, email address on account, etc.) before I can further action.
    melbo likes this.
  4. melbo

    melbo Well-Known Member

    Good points both - thank you
    i think my issue is that I have an older, non-tech savvy segment to my userbase that can be dense when it comes to those explanations. 'Password reset? I've tried but it's not working. help. me'. Although the email is typically in all caps...
  5. wang

    wang Well-Known Member

Share This Page