Release Notes: Login and Password Reset (Sept 2018)
In our next core update, we will be making some important changes to the login and password reset modules to incorporate the latest industry standards for enhanced security and usability. Those changes are as follows:
Login Changes
When a user attempts to log in to a site, and is unsuccessful, information will not be provided on screen as to the reason for the failed attempt. This is being changed so as to not inadvertently expose information to potentially malicious users.
How it works now:
In our current model, if a user tries to login with an email address that doesn't exist, the system lets the user know that no email record was found. If the password is incorrect, the system informs the user that the password entered isn't correct.
For password reset, if an email address that doesn't exist is entered, we let them know that no matching user record was found for the entered email.
How it will work after this change:
If a user tries to login and it isn't successful, we show the same message every time:
The credentials entered did not match our records. Please double-check and try again.
For password reset, it will display the same message regardless of whether an email address was found:
If we found a record for this email address, we just sent you an email. If you don't receive an email within five (5) minutes, please double-check your SPAM folder. If no email is received, it is likely that you are entering an incorrect email address and should come back here to try again.
Styling Changes
In addition to the above, we have modified styling to a mobile-first approach for the login and password changes. The changes are subtle, but are modeled after Amazon.com, which has won numerous industry awards for their simple, yet effective approach to easily getting users logged into their account. The biggest differences between new and old are (1) a border around the login/password reset form and (2) larger submission buttons for convenience of users on mobile devices.
