Password hashing and support to your user

We've recently moved to a better password storage strategy, with it came all the good stuff:

Passwords are stored after going through bCrypt
User is sent an activation link on account creation to confirm ownership of address
Forgot password without security question, a link is sent to their email.
The link expires after 24 hours, at which point they will need to request a new one.
If the account is created from our staff, an email is sent with a random strong password in it. Upon login in the user has to reset it to something we don't know and that is bCrypt'd.

Now this is in accordance with the "best-practice" around, but this increased our amount of support request a lot from regular users who don't understand all this, they just want to login.

We often get request from users who complain about:

Incorrect password (from the one that they need to reset they often paste it with a space at the end). They tell us what they are using but we have no way of telling them what their actual password is.
Saying they aren't receiving the email we send them (activation, reset, etc.). This is often not the case, after much troubleshooting we usually found out they did a typo in the email, that they aren't checking the right email account or that it simply went in the spam folder.

We of course can not try it for them as we don't have the password. We are logging the failed attempts but we also clear the password they used since it's likely to be the password used for another account and we didn't want to store in a plain text log file. This leaves us with pretty much nothing to help them when they report problems.

I’m curious as to how most people deal with issues like these?

Best Answer

Incorrect password (from the one that they need to reset they often paste it with a space at the end). They tell us what they are using but we have no way of telling them what their actual password is.

Fixable by instead including a link with a one-time GUID that logs them in and forces them to reset the password. Don't force the user to copy-paste. (Also, why not strip whitespace at end of password in your form.)

Saying they aren't receiving the email we send them (activation, reset, etc.). This is often not the case, after much troubleshooting we usually found out they did a typo in the email, that they aren't checking the right email account or that it simply went in the spam folder.

Make sure your outgoing e-mail is de-spammed (maybe setup test accounts on some common mail services), log anything that happens and maybe report that to the user if they try to request a new reset (i.e., mail to johndoee@gmail.com failed, user not found, did you spell it correctly?). Also, be clear to users about spelling and spam issues.

Also, OpenID and other third-party auths are also an option, as others have said.

Best Answer

Related Solutions

N official standard regarding user password storage practices

A reasonable and secure password requirement for user registration

Related Topic