Aral Balkan

If you really want to annoy someone on LOVEFILM, enter their email address in the "Forgotten Password" screen.

Here's what happens:

1. LOVEFILM immediately changes the user's password
2. LOVEFILM emails the user with a new, random password and asks them to log in with that new password.

If you're the poor sap at the receiving end of this prank, you have to:

1. Log in with your new password
2. Go to your account and change your password

They've got this whole "forgotten password" pattern all wrong.

Here's how it should work:

LOVEFILM should send you a temporary password (e.g. valid for an hour) that you can log in with but it shouldn't disable/change your current password. That way, if someone else requested the change (either by mistake or to annoy you), you can simply ignore the email.

The way it's implemented today, LOVEFILM actually allows a random stranger to make a change to your account (change your password) and causes you to take steps to remedy that action.

If someone wanted to really piss you off, they could reset your password daily.

I only stumbled upon this because I thought I had forgotten my password and requested a new one. Then, before the email arrived, I remembered my password. But it was too late. LOVEFILM had changed my password the moment I'd entered my email address in (and so I had to wait for the email to arrive before I could login to my account).

Of course, they could also side-step all this and implement support for OpenID. That would really rock!

Comments

• LOL

  by Aral on 2008-03-22 21:13:27

• So.... what's your email address?

  by Anonymous prick on 2008-03-22 21:02:59

• That is pretty stupid indeed, I don't understand why openID is so rarly used... But Aral, weren't you a Flashprogrammer? You only write about other stuff :) (not that it is not interesting but I'd love some more swx...)

  by jankees on 2008-03-22 21:59:36

• [...] LOVEFILM forgotten password antipattern. There are sites out there that still do that? Weird. [...]

  by Hendrik Mans » LOVEFILM forgotten password antipattern on 2008-03-23 11:24:28

• Hi, Actually this mechanism for password resets (sending a reset to your registered email address) is fairly common on the web. Some sites are even silly enough to send the existing password in the clear, rather than a random reset. I guess that I could sign up for tons of spam using your email address but would you complain that there was a flaw in such a system? If I know your email address and want to cause hassles for you, there are more inventive ways of annoying you than resetting your lovefilm ID. Much more important is how personal details are protected! I'd worry more about that than a password reset. As a means of DOS attack, it would be pretty lame and easily spotted.

  by mad_dog on 2008-03-27 09:18:53

• Whats even more annoying is there doesn't currently seem to be a way to change your password once it has been reset. This has had me looking on the website for quite a while. Its in none of the obviously places.

  by Simon on 2008-07-14 18:58:29

• At least you know that they are encrypting your password. Too many websites store passwords in clear text and simple email you your existing password if you hit the "forgot password" button.

  by Jon on 2008-03-25 00:25:12

• Reminds me of very similar functionality in the popular web based Project Management solution, ProjectPier. If you just so happen to know the email address of any user in the system, you can quite simply reset their password via the "Forgot Password" screen. Absolutely ridiculous, imo.

  by James Urquhart on 2008-03-22 22:35:02