Confusing, non-standard pass reset UX

Continuing the discussion from Our auth UX is problematic, case-sensitivity, confusing pass reset…:

The issue:

Problems with status quo:

  • it’s really strange to enter new pass when requesting reset instead of after the email verification step (in fact, Firefox for me auto-fills the old pass there as is)

  • the options in the verification email to either copy/paste token or use URL link is odd, we might consider using just the URL

    • maybe this was done out of concern of leaving open the original tab and
      then the URL opens a new tab?
    • if we remove the copy/paste option, we need to change both the email and the page after successful reset-request submission (which currently has the field to paste into)

This was only done for expedience, and was influenced by what Yesod makes easy to do. I agree it’s bad.

I did this because I’d seen it elsewhere. At one time, people didn’t like clicking links from emails thanks to HTML emails making it easy to forge malicious links. We can drop that additional option, but does it really hurt? (Maybe)

1 Appreciation

I think this is still the case and that it’s a best practice to make one’s own emails help train users in habits that protect them against other people’s malicious emails. So I’d keep the option to copy/paste token. In fact, I’d consider offering only that option, followed by a message like this:

(If the page asking for the token is no longer open, you can get back to it at

BTW, I’m trying to get sent an email with the token but so far it’s not showing up in my inbox.