Should a user be logged in after resetting their password?

by Mars Robertson   Last Updated August 07, 2019 03:16 AM

Lets assume following flow:

  1. I want to log in
  2. I don't remember password
  3. I click on the "forgot my password" link (email is dispatched)
  4. I check my inbox and click on the link
  5. I type in a new password
  6. Done

Why, after performing these steps, am I not logged in but instead presented with log-on screen? If we refer back to 1. then it seems obvious that I would like to log in.

Are there any use cases when someone would like to change their password via "forgot my password" link and then not log in? Unless I'm missing something obvious, the intention is clear and identity was established by using reset link from email.

Please tell what are your thoughts, please tell whether the user should be logged in after resetting the password?

Related: Should confirm email links autologin if the user is not logged in? (my answer would be yes)



Answers 5


In my opinion: YES.

The authentication has been done when the password is reset, so the user could be logged in. And it annoys the hell out of me when after password reset I'm not logged in.

I can't think of any case I wouldn't want to be logged in after resetting password, why would I even ask for password reset if I don't want to log in?

Samuel M
Samuel M
May 29, 2013 05:01 AM

For the vast majority of situations users should be logged in once they have reset their password. Essentially, once you've authenticated someone enough for them to change a password, you've also authenticated them enough for them to perform the task that they likely wanted to perform.

There are however some relatively rare situations where this isn't feasible:

  • Where you have a username for a system, but it isn't clear which site you need to log into. For example, if you're an accountant and have a username / password for an online accounting system that you use for many clients. Often there will be separate domain names for each client such as client1.accounting.com and client2.accounting.com. Here resetting your password would apply across all related sites, but it isn't clear which site you should log into.

  • If the authentication is handled by a separate system to the the application. It's not that it wouldn't be good UX to do this, just that it may be a large technical headache, and so not considered worth the cost.

JohnGB
JohnGB
May 29, 2013 07:29 AM

No. While it seems to be annoying, I see four problems with not having to enter the login information again:

  1. I will remember my new password better if I have to type it once more. (I keep forgetting my new e-banking password because I don't have to re-enter it, and I of course don't store it in the browser.)
  2. If I want to store the password, the browser PW manager is sometimes confused by the PW change and is not able to treat it properly; this is not the case when I enter a different PW into the standard login form
  3. Having to use the password is the best way to make oneself sure that the password has been really changed.
  4. (security) IMHO it's better when a user logs in only by LOG IN button and never by anything else like CHANGE PASSWORD button.
yo'
yo'
May 29, 2013 10:24 AM

Why not create two buttons "Change password & Login" and "Just change password"? Having another option doesn't hurt in my opinion.

Mark Vizcarra
Mark Vizcarra
June 16, 2013 07:38 AM

The situation is bit controversial. Actually it depends upon the user's perspective of how the user reacts depending upon the situation.

We can explain the situation by using 2 point of views :

  1. From user's point of view, it is obvious that he/she may think of not entering the password again once he/she changed that. In that case the user may be annoyed and think that re-entering the password will be sheer waste of time. So, it is correct not to enter the password again.

  2. From the technical perspective(especially testing point of view), it may happen that the user might have logged in the account few days back using any other device like mobile,tablets etc.

So, once the password is reset, then the user is again prompted for entering the new password so that the confirmation will be sent to the system as the password is changed. Hence it is required to enter the password again.

talktokets
talktokets
June 16, 2013 09:01 AM

Related Questions


Updated January 02, 2017 08:06 AM

Updated May 13, 2015 12:44 PM

Updated October 24, 2017 15:16 PM

Updated February 10, 2019 07:16 AM

Updated January 08, 2019 01:16 AM