Arch Linux

Description:
The Arch Linux forum has a "Forgotten your password?" function which sends the user a new password via e-mail. (A sample of this e-mail is provided at the end of this bug report.)

The bug being reported here is that the e-mail in question provides incorrect/false information. If the user relies on this information, she will not be able to log into her account.

If you want, feel free to read this entire bug report... :-) Long story short, I suggest the password reset mail should be changed from:

Your new password is: gDgfm2rO

to

Upon following the below link, your password will be: gDgfm2rO

Thanks!
-Elliot

Specifically, the e-mail incorrectly says "Your new password is: XXXXXXXX" This statement (hereafter referred to as statement #1) is not correct because at the time that the user reads the e-mail, the user's password has not yet been changed to XXXXXXXX.

In fact, the user must visit a link provided in the e-mail in order to change the password to XXXXXXXX.

It is true that the e-mail does also include, at the end of the e-mail, the following statement... "To change your password, please visit the following page: (link)" (hereafter referred to as statement #2) ...however it is not reasonable to expect the user to rely on statement #2 for the following reasons:

1) statement #2 contradicts statement #1 (statement #1 says that the password has already been changed, so if we assume that statement #1 is correct, then we must assume that statement #2 is offering to change the password AGAIN, something that the user is not going to be interested because statement #1 has already (incorrectly) told the user what the password is... how many times does the user want to change passwords? Probably only once...)

2) if the user assumes that statement #1 is accurate (and why should the user assume any differently?) then the user has no incentive to continue reading the e-mail. Statement #1 has given the user what is needed: The password. Of course, since this statement is incorrect, the user will not be able to log in with this password. Being unable to login, the user must now begin troubleshooting this issue, and here is where Murphey's law steps in: The successful troubleshooting step will be the last one tried... The user will check if she has her caps lock key on, if she is typing incorrectly... the user will AGAIN request that the password be reset... The user will reboot her computer, try a different web browser, try reloading windows, try moving to a different house in a different city... it may not be until all else has failed that the user will read the rest of the e-mail.

3) There is a common tendency in many users to filter out (to ignore) parts of e-mails and web pages which look like standard legalistic (conforming to unnecessary or redundant procedure) crap that we so often are bombarded with these days... (e.g. if you didn't request this e-mail... if you wish to be unsubscribed... etc etc...) Once the user has read and processed the rest of the e-mail, the user must now form the hypothesis that possibly the first part of the e-mail (statement #1) is in conflict with the second part of the e-mail (statement #2) and the user must then proceed to test this hypothesis... only upon testing this hypothesis will the user discover that her inability to log into her account has nothing to do with anything she is doing incorrectly, and everything to do with statement #1 being, in fact, false.

4) the user may be clinically inattentive, stoned, or drunk, or some combination thereof.

P.S.

Statement #3:

"If you didn't
request this or if you don't want to change your password you should
just ignore this message. Only if you visit the activation page below
will your password be changed."

I just now discovered statement #3 in the e-mail. Until now I had actually not read this statement. Because the statement started out with bland generic legalistic crap "if you didn't request this..." I ignored it.... I skimmed ahead to the useful part of the e-mail... the part that (unfortunately incorrectly) tells me my password...

As you can see, statement #3 is in conflict with statement #1... That is to say, one of them must be false. As we know now, statement #1 is false.

P.P.S.

I just now noticed this as well... This is stated in the web page form which is used to request the new password:

Statement #4

"A new password together with a link to activate the new password will be sent to that address."

again, I ignored statement #4 as well... Statement #4 is in conflict with statement #1... one of them must be false... Even if the user does read both statement #1 and #4, how is the user to know which one is false and which one is correct? Obviously, the more the user reads, the better, as then the user has more information to begin the process of troubleshooting and reverse engineering the password reset process... but... should the user have to reverse engineer this process in order to perform a simple task...?

Additional info:

here is the text of the password reset e-mail:

Hello onthenickel,

You have requested to have a new password assigned to your account in
the discussion forum at http://bbs.archlinux.org/. If you didn't
request this or if you don't want to change your password you should
just ignore this message. Only if you visit the activation page below
will your password be changed.

Your new password is: gDgfm2rO

To change your password, please visit the following page:
http://bbs.archlinux.org/profile.php?id=26645&action=change_pass&key=15q67o0w

--
Arch Linux Forums Mailer
(Do not reply to this message)
--

Steps to reproduce:
follow this link, and request a new password
http://bbs.archlinux.org/login.php?action=forget