locked ANOTHER DISASTER - a member reset another member's password


 

In trying to help my transferred member figure out how to reset (or actually, create) a password, someone in my group posted a link to her OWN "reset password" link that she received in the transfer email. She warned people not to click on it since it might reset HER password.  Nobody thought that could actually happen, but unfortunately, it did: someone else clicked on the link and inadvertently re-set the other member's password.

I am now in an offlist pow-wow with the two of them, trying to figure out how to rectify the situation.

Mark, the group is Feline_Smallcell_Lymphoma in case you want to have a look. But basically, it was just the rest password link that came with the transfer email. It contained the member's email address within the link.

J


kr402
 

Jeez!! 

I am sorry that happened, but is it worth fighting over.
Life is to short to make a fuss over the little things.
What is the worse thing, you choose a new password and move on. 

In trying to help my transferred member figure out how to reset (or actually, create) a password, someone in my group posted a link to her OWN "reset password" link that she received in the transfer email. She warned people not to click on it since it might reset HER password.  Nobody thought that could actually happen, but unfortunately, it did: someone else clicked on the link and inadvertently re-set the other member's password.

I am now in an offlist pow-wow with the two of them, trying to figure out how to rectify the situation.


_._,_._,_


 

Well, admittedly it was funny. But the person whose password was changed had to ask the other person to tell her the new password. She could not "choose a password and move on" LOL. She couldn't get into her own account. Luckily I run a very friendly group. ;)

J

On Sat, Jan 16, 2016 at 9:10 PM, kr402 via Groups.io <kr402@...> wrote:
Jeez!! 

I am sorry that happened, but is it worth fighting over.
Life is to short to make a fuss over the little things.
What is the worse thing, you choose a new password and move on. 

From: J_catlady
Sent: Saturday, January 16, 2016 21:03 PM
Subject: [beta] ANOTHER DISASTER - a member reset another member's password

In trying to help my transferred member figure out how to reset (or actually, create) a password, someone in my group posted a link to her OWN "reset password" link that she received in the transfer email. She warned people not to click on it since it might reset HER password.  Nobody thought that could actually happen, but unfortunately, it did: someone else clicked on the link and inadvertently re-set the other member's password.

I am now in an offlist pow-wow with the two of them, trying to figure out how to rectify the situation.




 

I deleted all the emails starting with the one that posted the link, saying it was "for security reasons" LOL. So it's no longer there. I got the two people together and advised them to confer on the password situation. The one who changed it told the other one what it was, and then they both reset their own. 
J

On Sat, Jan 16, 2016 at 9:14 PM, J_Olivia Catlady <j.olivia.catlady@...> wrote:
Well, admittedly it was funny. But the person whose password was changed had to ask the other person to tell her the new password. She could not "choose a password and move on" LOL. She couldn't get into her own account. Luckily I run a very friendly group. ;)

J

On Sat, Jan 16, 2016 at 9:10 PM, kr402 via Groups.io <kr402@...> wrote:
Jeez!! 

I am sorry that happened, but is it worth fighting over.
Life is to short to make a fuss over the little things.
What is the worse thing, you choose a new password and move on. 

From: J_catlady
Sent: Saturday, January 16, 2016 21:03 PM
Subject: [beta] ANOTHER DISASTER - a member reset another member's password

In trying to help my transferred member figure out how to reset (or actually, create) a password, someone in my group posted a link to her OWN "reset password" link that she received in the transfer email. She warned people not to click on it since it might reset HER password.  Nobody thought that could actually happen, but unfortunately, it did: someone else clicked on the link and inadvertently re-set the other member's password.

I am now in an offlist pow-wow with the two of them, trying to figure out how to rectify the situation.





kr402
 

On Jan 16, 2016, at 9:14 PM, "J_catlady" <j.olivia.catlady@gmail.com> wrote:

Well, admittedly it was funny. But the person whose password was changed had to ask the other person to tell her the new password. She could not "choose a password and move on" LOL. She couldn't get into her own account. Luckily I run a very friendly group. ;)
oh ok, I did not realize that she had actually entered a new password and locked the other member out of her own account. Although, when she was able to get into her account then she could change the password again. I guess a good lesson is not to share your reset password link, otherwise anyone could get into your account. Which is not good. Hopefully Mark will come up with a solution to prevent that.

KR


 

The really odd thing, though, was that when *I* clicked on the link (which I did, out of curiosity, before the other person did), and then just exited the window without doing anything, the next time I went to my group the system made me log in again, as if I'd logged out (I hadn't). So it seemed to me at that point that when I clicked on the link, it was known which account (email address) I was coming from. At that point I believed it was safe for other people besides the person whose email it was to click on the link. But it wasn't.

J


 

J,

In trying to help my transferred member figure out how to reset (or
actually, create) a password, someone in my group posted a link to her
OWN "reset password" link that she received in the transfer email. She
warned people not to click on it since it might reset HER password.
Nobody thought that could actually happen, but unfortunately, it did:
someone else clicked on the link and inadvertently re-set the other
member's password.
Yeah, there's basically no defense for this one. Forwarding a password reset link is in its way worse than posting your password - because the reset not only gives the stranger access, but also locks you out.

I am now in an offlist pow-wow with the two of them, trying to figure
out how to rectify the situation.
I read in other messages that they have it straightened out. So that's good.

However, even if the second member couldn't be reached, or couldn't remember what the new password was, the original member can to go to the site and click for a new Password Reset. That she could do without being able to sign in (that being the time you _need_ a password reset).

And this time don't forward the email to anyone!

-- Shal


 

J,

The really odd thing, though, was that when *I* clicked on the link
(which I did, out of curiosity, before the other person did), and then
just exited the window without doing anything, the next time I went to
my group the system made me log in again, as if I'd logged out (I
hadn't).
That's not too odd. In order to complete the password reset the site would need to be accessing the other person's account. Which means it needed to be signed out of yours.

Look at it this way: because the email address associated with that link was not your address, and the system believed that the person clicking the link was that other person, it dared not allow that person access under your account.

So it seemed to me at that point that when I clicked on the link, it was
known which account (email address) I was coming from.
It "knew" only the address of the other person. That's who it thought you were.

-- Shal


 

LOL. I guess all of that makes sense!

On Sat, Jan 16, 2016 at 10:19 PM, Shal Farley <shals2nd@...> wrote:
J,

> The really odd thing, though, was that when *I* clicked on the link
> (which I did, out of curiosity, before the other person did), and then
> just exited the window without doing anything, the next time I went to
> my group the system made me log in again, as if I'd logged out (I
> hadn't).

That's not too odd. In order to complete the password reset the site would need to be accessing the other person's account. Which means it needed to be signed out of yours.

Look at it this way: because the email address associated with that link was not your address, and the system believed that the person clicking the link was that other person, it dared not allow that person access under your account.

> So it seemed to me at that point that when I clicked on the link, it was
> known which account (email address) I was coming from.

It "knew" only the address of the other person. That's who it thought you were.

-- Shal






 

The password reset link should probably expire after 30 minutes to an hour. That gives it time in case the email is slow but limits the amount of damage it can do if someone else gets it somehow. If the real user doesn't have time after generating the password reset to use it, that user can always generate a new password reset link later.

JohnF


 

The problem seems to be that one or two members are not receiving any emails at all from Groups.io. They've checked their spam folders, they've tried everything. They've gotten as far as going to the site for the group and clicking on "forgot password," and the system promises to send them an email with a reset-passwork link, but they report not receiving the email. I'm now suggesting they try it from Groups.io rather than from our group's specific site. If it doesn't work, or nobody here can help figure out what to do, I will need to contact Mark or support on their behalf, or ask them to do that.

J


 

(I mean, I would ask them to contact support. No worries, I would not tell them to email you, Mark. :-)


Ro
 

yes one of my members is not recieving her direct email either, and she is set up for it. 


Ro
.




From: j.olivia.catlady@...
Date: Sun, 17 Jan 2016 12:02:30 -0800
To: beta@groups.io
Subject: [beta] Re: ANOTHER DISASTER - a member reset another member's password

The problem seems to be that one or two members are not receiving any emails at all from Groups.io. They've checked their spam folders, they've tried everything. They've gotten as far as going to the site for the group and clicking on "forgot password," and the system promises to send them an email with a reset-passwork link, but they report not receiving the email. I'm now suggesting they try it from Groups.io rather than from our group's specific site. If it doesn't work, or nobody here can help figure out what to do, I will need to contact Mark or support on their behalf, or ask them to do that.
J


 

Actually, the person (or persons) in my group are getting emails from my group. However, they reportedly did not receive either the email transfer notification or the email with the reset-password link they were promised when they clicked on "forgot password."

J

On Sun, Jan 17, 2016 at 12:29 PM, Ro <recarlton@...> wrote:
yes one of my members is not recieving her direct email either, and she is set up for it. 


Ro
.




From: j.olivia.catlady@...
Date: Sun, 17 Jan 2016 12:02:30 -0800
To: beta@groups.io
Subject: [beta] Re: ANOTHER DISASTER - a member reset another member's password

The problem seems to be that one or two members are not receiving any emails at all from Groups.io. They've checked their spam folders, they've tried everything. They've gotten as far as going to the site for the group and clicking on "forgot password," and the system promises to send them an email with a reset-passwork link, but they report not receiving the email. I'm now suggesting they try it from Groups.io rather than from our group's specific site. If it doesn't work, or nobody here can help figure out what to do, I will need to contact Mark or support on their behalf, or ask them to do that.
J



 

p.s. They all claim to have checked their spam folders over and over.
J

On Sun, Jan 17, 2016 at 12:31 PM, J_Olivia Catlady <j.olivia.catlady@...> wrote:
Actually, the person (or persons) in my group are getting emails from my group. However, they reportedly did not receive either the email transfer notification or the email with the reset-password link they were promised when they clicked on "forgot password."

J

On Sun, Jan 17, 2016 at 12:29 PM, Ro <recarlton@...> wrote:
yes one of my members is not recieving her direct email either, and she is set up for it. 


Ro
.




From: j.olivia.catlady@...
Date: Sun, 17 Jan 2016 12:02:30 -0800
To: beta@groups.io
Subject: [beta] Re: ANOTHER DISASTER - a member reset another member's password

The problem seems to be that one or two members are not receiving any emails at all from Groups.io. They've checked their spam folders, they've tried everything. They've gotten as far as going to the site for the group and clicking on "forgot password," and the system promises to send them an email with a reset-passwork link, but they report not receiving the email. I'm now suggesting they try it from Groups.io rather than from our group's specific site. If it doesn't work, or nobody here can help figure out what to do, I will need to contact Mark or support on their behalf, or ask them to do that.
J




vickie <vickie_00@...>
 

J >>> I'm now suggesting they try it from Groups.io rather than from our group's specific site.

2 areas to reset password?
In my opinion there should be only one area to reset a password. 
These members are having a hard enough time trying to figure out how to join a group.
so why give them more areas to click on.
Possibly  a drop down (help ) window can be added  next to reset password to read first to find out
what the problem may be and if that doesn't work then reset password.... Just saying.

 In fact maybe Drop down help windows  is what is needed for members   before  they join a group and in groups on tools they
are permitted to use. 
Would save moderators a lot of explaining and save Mark a lot of administrative  instructions  to  mods and the members directly. 


Vickie

 











From: J_catlady <j.olivia.catlady@...>
To: beta@groups.io
Sent: Sunday, January 17, 2016 3:02 PM
Subject: [beta] Re: ANOTHER DISASTER - a member reset another member's password

The problem seems to be that one or two members are not receiving any emails at all from Groups.io. They've checked their spam folders, they've tried everything. They've gotten as far as going to the site for the group and clicking on "forgot password," and the system promises to send them an email with a reset-passwork link, but they report not receiving the email. I'm now suggesting they try it from Groups.io rather than from our group's specific site. If it doesn't work, or nobody here can help figure out what to do, I will need to contact Mark or support on their behalf, or ask them to do that.
J




 

It's really the same place. I'm just suggesting a different way of getting there since she was having trouble the first way. I think there are still language problems related to creating or resetting passwords (and joining groups, etc. - the whole area Mark is working on). While we're at it, I would suggest using the term "create new password" as a substitute for either "reset password" or "create password." I think it encompasses both.

On Sun, Jan 17, 2016 at 3:18 PM, vickie via Groups.io <vickie_00@...> wrote:
J >>> I'm now suggesting they try it from Groups.io rather than from our group's specific site.

2 areas to reset password?
In my opinion there should be only one area to reset a password. 
These members are having a hard enough time trying to figure out how to join a group.
so why give them more areas to click on.
Possibly  a drop down (help ) window can be added  next to reset password to read first to find out
what the problem may be and if that doesn't work then reset password.... Just saying.

 In fact maybe Drop down help windows  is what is needed for members   before  they join a group and in groups on tools they
are permitted to use. 
Would save moderators a lot of explaining and save Mark a lot of administrative  instructions  to  mods and the members directly. 


Vickie

 











From: J_catlady <j.olivia.catlady@...>
To: beta@groups.io
Sent: Sunday, January 17, 2016 3:02 PM
Subject: [beta] Re: ANOTHER DISASTER - a member reset another member's password

The problem seems to be that one or two members are not receiving any emails at all from Groups.io. They've checked their spam folders, they've tried everything. They've gotten as far as going to the site for the group and clicking on "forgot password," and the system promises to send them an email with a reset-passwork link, but they report not receiving the email. I'm now suggesting they try it from Groups.io rather than from our group's specific site. If it doesn't work, or nobody here can help figure out what to do, I will need to contact Mark or support on their behalf, or ask them to do that.
J





vickie <vickie_00@...>
 

J >>>It's really the same place.

Ok, got it.. :)

When you " create a password" you have created
When you "reset"   your requesting a new password..   to be more specific, "Reset your password"
 

Vickie

 











From: J_catlady <j.olivia.catlady@...>
To: beta@groups.io
Sent: Sunday, January 17, 2016 6:24 PM
Subject: Re: [beta] ANOTHER DISASTER - a member reset another member's password

It's really the same place. I'm just suggesting a different way of getting there since she was having trouble the first way. I think there are still language problems related to creating or resetting passwords (and joining groups, etc. - the whole area Mark is working on). While we're at it, I would suggest using the term "create new password" as a substitute for either "reset password" or "create password." I think it encompasses both.

On Sun, Jan 17, 2016 at 3:18 PM, vickie via Groups.io <vickie_00@...> wrote:
J >>> I'm now suggesting they try it from Groups.io rather than from our group's specific site.

2 areas to reset password?
In my opinion there should be only one area to reset a password. 
These members are having a hard enough time trying to figure out how to join a group.
so why give them more areas to click on.
Possibly  a drop down (help ) window can be added  next to reset password to read first to find out
what the problem may be and if that doesn't work then reset password.... Just saying.

 In fact maybe Drop down help windows  is what is needed for members   before  they join a group and in groups on tools they
are permitted to use. 
Would save moderators a lot of explaining and save Mark a lot of administrative  instructions  to  mods and the members directly. 


Vickie

 











From: J_catlady <j.olivia.catlady@...>
To: beta@groups.io
Sent: Sunday, January 17, 2016 3:02 PM
Subject: [beta] Re: ANOTHER DISASTER - a member reset another member's password

The problem seems to be that one or two members are not receiving any emails at all from Groups.io. They've checked their spam folders, they've tried everything. They've gotten as far as going to the site for the group and clicking on "forgot password," and the system promises to send them an email with a reset-passwork link, but they report not receiving the email. I'm now suggesting they try it from Groups.io rather than from our group's specific site. If it doesn't work, or nobody here can help figure out what to do, I will need to contact Mark or support on their behalf, or ask them to do that.
J








 

The reason I'm suggesting the change in language is that in some cases, the system asks people to reset their password (or click on "forgot password" and give them the chance to reset) when they actually have no password yet in the first place. Using the ambiguous "create new password" would seem to avoid the confusion, since it applies in either case.

On Sun, Jan 17, 2016 at 3:30 PM, vickie via Groups.io <vickie_00@...> wrote:
J >>>It's really the same place.

Ok, got it.. :)

When you " create a password" you have created
When you "reset"   your requesting a new password..   to be more specific, "Reset your password"
 

Vickie

 











From: J_catlady <j.olivia.catlady@...>
To: beta@groups.io
Sent: Sunday, January 17, 2016 6:24 PM
Subject: Re: [beta] ANOTHER DISASTER - a member reset another member's password

It's really the same place. I'm just suggesting a different way of getting there since she was having trouble the first way. I think there are still language problems related to creating or resetting passwords (and joining groups, etc. - the whole area Mark is working on). While we're at it, I would suggest using the term "create new password" as a substitute for either "reset password" or "create password." I think it encompasses both.

On Sun, Jan 17, 2016 at 3:18 PM, vickie via Groups.io <vickie_00@...> wrote:
J >>> I'm now suggesting they try it from Groups.io rather than from our group's specific site.

2 areas to reset password?
In my opinion there should be only one area to reset a password. 
These members are having a hard enough time trying to figure out how to join a group.
so why give them more areas to click on.
Possibly  a drop down (help ) window can be added  next to reset password to read first to find out
what the problem may be and if that doesn't work then reset password.... Just saying.

 In fact maybe Drop down help windows  is what is needed for members   before  they join a group and in groups on tools they
are permitted to use. 
Would save moderators a lot of explaining and save Mark a lot of administrative  instructions  to  mods and the members directly. 


Vickie

 











From: J_catlady <j.olivia.catlady@...>
To: beta@groups.io
Sent: Sunday, January 17, 2016 3:02 PM
Subject: [beta] Re: ANOTHER DISASTER - a member reset another member's password

The problem seems to be that one or two members are not receiving any emails at all from Groups.io. They've checked their spam folders, they've tried everything. They've gotten as far as going to the site for the group and clicking on "forgot password," and the system promises to send them an email with a reset-passwork link, but they report not receiving the email. I'm now suggesting they try it from Groups.io rather than from our group's specific site. If it doesn't work, or nobody here can help figure out what to do, I will need to contact Mark or support on their behalf, or ask them to do that.
J









vickie <vickie_00@...>
 

I think reset password would give them the means to have another password to use.
 and going through the trouble to reset the password will teach them a lesson to save it  so they don't have the same problem again
I speak from experience.. lol


Vickie

 









From: J_catlady <j.olivia.catlady@...>
To: beta@groups.io
Sent: Sunday, January 17, 2016 6:32 PM
Subject: Re: [beta] ANOTHER DISASTER - a member reset another member's password

The reason I'm suggesting the change in language is that in some cases, the system asks people to reset their password (or click on "forgot password" and give them the chance to reset) when they actually have no password yet in the first place. Using the ambiguous "create new password" would seem to avoid the confusion, since it applies in either case.

On Sun, Jan 17, 2016 at 3:30 PM, vickie via Groups.io <vickie_00@...> wrote:
J >>>It's really the same place.

Ok, got it.. :)

When you " create a password" you have created
When you "reset"   your requesting a new password..   to be more specific, "Reset your password"
 

Vickie

 











From: J_catlady <j.olivia.catlady@...>
To: beta@groups.io
Sent: Sunday, January 17, 2016 6:24 PM
Subject: Re: [beta] ANOTHER DISASTER - a member reset another member's password

It's really the same place. I'm just suggesting a different way of getting there since she was having trouble the first way. I think there are still language problems related to creating or resetting passwords (and joining groups, etc. - the whole area Mark is working on). While we're at it, I would suggest using the term "create new password" as a substitute for either "reset password" or "create password." I think it encompasses both.

On Sun, Jan 17, 2016 at 3:18 PM, vickie via Groups.io <vickie_00@...> wrote:
J >>> I'm now suggesting they try it from Groups.io rather than from our group's specific site.

2 areas to reset password?
In my opinion there should be only one area to reset a password. 
These members are having a hard enough time trying to figure out how to join a group.
so why give them more areas to click on.
Possibly  a drop down (help ) window can be added  next to reset password to read first to find out
what the problem may be and if that doesn't work then reset password.... Just saying.

 In fact maybe Drop down help windows  is what is needed for members   before  they join a group and in groups on tools they
are permitted to use. 
Would save moderators a lot of explaining and save Mark a lot of administrative  instructions  to  mods and the members directly. 


Vickie

 











From: J_catlady <j.olivia.catlady@...>
To: beta@groups.io
Sent: Sunday, January 17, 2016 3:02 PM
Subject: [beta] Re: ANOTHER DISASTER - a member reset another member's password

The problem seems to be that one or two members are not receiving any emails at all from Groups.io. They've checked their spam folders, they've tried everything. They've gotten as far as going to the site for the group and clicking on "forgot password," and the system promises to send them an email with a reset-passwork link, but they report not receiving the email. I'm now suggesting they try it from Groups.io rather than from our group's specific site. If it doesn't work, or nobody here can help figure out what to do, I will need to contact Mark or support on their behalf, or ask them to do that.
J