The password recovery process gets discussed from time to time, but nothing ever happens. Well, maybe a significant number of customers are perfectly happy with the status quo.
So if anyone likes the way things are, I invite them to say so here, and why. To set the scene, I will say what happens now; then I will say what I think is wrong with it. Then (as a probably irrelevant appendix) I will say what I think should happen.
(1) WHAT HAPPENS NOW
On the panel login screen, anyone can enter any email address and press the “please email me my password” button. If the email address corresponds to an active dreamhost account, the password for that account is immediately emailed to that address.
(2) WHAT IS WRONG WITH IT
First, three lemmas:
Lemma 1: dreamhost actively encourages the use of gmail
Lemma 2: gmail actively discourages deletion of messages
Lemma 3: the dreamhost password recovery email actively encourages you not to fret
So: if you behave as actively encouraged to do by dreamhost and gmail,
if you (or indeed anyone else) have ever invoked the dreamhost password recovery mechanism on your email address, then there will be an old message sitting in your gmail account worded as above, and you will not be fretting about it.
This means that whenever you are logged into gmail, if anyone (your prankster brother-in-law, for example) gets hold of your keyboard, while your back is turned for just a few seconds, they can do a quick “search mail” for the text “don’t fret”, which will bring up any emails which dreamhost has sent you containing your password. They can then return the screen to your inbox, and when you come back a few seconds later, you will be none the wiser. I just tried it, and the process took 7 seconds.
(3) QUESTION: is anyone happy with this?
(4) WHAT I THINK SHOULD HAPPEN
I’m adding this section so that people don’t get the idea that doing things properly would make the process horribly complicated. It’s actually really simple. The password recovery button should cause an email to be sent to your email address, containing a time-limited invitation to a dialog that asks you your security question and then reveals your password.