Design/UX #7722


Password Reset Issues

Added by scott voth over 7 years ago. Updated over 6 years ago.

Priority name:
Category name:
User Experience
Target version:
Start date:
Due date:
% Done:


Estimated time:
Deployment actions:


I was at Lehman yesterday, doing outreach, and two Commons members needed to reset their passwords. Both had the same issue - the email sent to them had two url links - the first one was underlined, so they automatically clicked on that one, and it just returned them to the Commons Home page. The second url was actually the correct one. It was not underlined and was not clickable. They had to cut and paste it into the browser in order to reset their password.

Actions #1

Updated by Boone Gorges over 7 years ago

Scott - Do you have any information about what the URLs were? What was the format of the URLs that worked, and what was the format of those that did not?

Actions #2

Updated by scott voth over 7 years ago

I don't know if you can look into the log - but if so, one was for Madeline Cohen. It could be that their email client was not set up to accept html. The urls were just that, really long urls. The second one was enclosed by < >, maybe the reason it did not render as a link? I was just looking over their shoulders, but it seemed like their wasn't that much to the confirmation email except for those 2 links.

Actions #3

Updated by scott voth over 7 years ago

Sorry, didn't quite answer the question. In both cases the first url took them to the home page. The second url was the one that allowed them to reset the password.

Actions #4

Updated by Boone Gorges about 7 years ago

Thanks, Scott. Were they both using Lehman email accounts? Do you remember the email service that Lehman uses? Was it Office 365, or something like that? It's likely that this is an issue with the way that the specific email client builds links.

Actions #5

Updated by scott voth about 7 years ago

It was in a room with computers that were wiped out clean each day (according to Madeline). Basically a big classroom. I am pretty sure they were using Lehman accounts. It looked like Outlook - they were windows machines.

Actions #6

Updated by Matt Gold about 7 years ago

Should we try to get a copy of one of the emails?

Actions #7

Updated by Boone Gorges about 7 years ago

One of two things is probably happening. One is that the receiving email server is filtering anchors in emails - I think that the GC's email server used to do this. This kind of filtering could potentially break the link. The other possibility is that the email client (in this case, it sounds like it's probably the web client, which is closely associated with the incoming email server) is mangling the <link in brackets>. Having a copy of the email would only really help in the first of these cases.

The critical piece of info here would be this: Exactly what happens when the link is clicked? Does it first try to visit one URL, but then redirect to another one? Another way of asking the question is: what URL shows in the browser status bar when hovering over the link?

For reference, the email content generated by the Commons on password reset looks like this:

Someone has requested a password reset for the following account:

Username: teststudent

If this was a mistake, just ignore this email and nothing will happen.

To reset your password, visit the following address:


There is only a single URL, and it's not natively a link - it's just between brackets. If there are two versions of the URL in the incoming email, it's likely a result of the email client doing same magic when it sees the bracketed URL.

Actions #8

Updated by Boone Gorges about 7 years ago

  • Target version set to Not tracked
Actions #9

Updated by Boone Gorges over 6 years ago

  • Assignee changed from Chris Stein to scott voth

Scott, did you manage to get a copy of the email sent, with an eye toward answering my question above? This feels like an important issue to address, though we currently don't have quite enough info to know exactly what might be happening.

Actions #10

Updated by scott voth over 6 years ago

I did ask, but never got a response. Do you need me to follow up with them?

Actions #11

Updated by Boone Gorges over 6 years ago

  • Status changed from New to Abandoned

Hi Scott - If they never responded, it suggests they don't need help anymore. I'm going to close this out, but let's be sure we reference back to this ticket if we hear more instances of password-reset links being mangled by email clients.


Also available in: Atom PDF