[aur-general] Registering, misspelling email, losing account

Sun Jul 26 20:01:11 UTC 2015

Hello, everyone!

So today I decided to contribute to AUR and register an account.
I was pretty surprised by the fact that registration form asked me about
SSH and PGP key information, but never asked me about password. At the
moment, I was impressed. Not for long, though. I was pretty confused by
the fact that I will receive a "reset password" email. Soon after that,
I realized that it might be some kind of "account confirmation". The
common way of confirming emails is using some "confirmation link".
Keeping it simple, AUR got rid of such an ugly feature and basically
confirms that email is correct by letting the email owner set the
password. Great idea, right?

Wrong.

I would love to call it a great idea. It really follows "keep it simple"
principle. Instead of implementing email confirmation, AUR seems to use
the simple principle: "If you can set the password, you're definitely
the legitimate owner". I would have supported this concept if it wasn't
for one thing: I can't access my own account.
That's right, I messed up. Instead of typing fastmail.com, I typed
fastmai.com. And now there is no way I can access my account. The only
option is to send an email to this mailing list describing my problem
and hope that somebody will help me out. Basically, that's what I'm
doing right now.

People tend to make mistakes. I'm not the only one who messed up during
registration. And there is no easy way to get our account back. Mailing
list is not the best option for account recovery. What if the misspelled
email exists and the owner decides to proceed and register? What if the
owner decides to do nasty things using my username, full name and email
that looks alike? That would affect my reputation in the community since
it's difficult to prove that I was not the bad guy. 
The usual "account activation" prevents this stuff. A lot of web sites
do not automatically log user in after account confirmation, so it kind
of prevents malicious activity (the bad guy doesn't know the password,
you see). 

I would love to see the community grow as much as I would love to get my
account back, so I wrote this message in a way that might start a
discussion. 
I might be wrong about "bad design", though. So I welcome replies that
explain why this design is better than others. 

And by the way, the fact that you can use an unused (not registered)
email in account recovery and not get any errors is frustrating. Took me
8 hours to realize that it says "okay", even though the email is not in
use. Please, do something about it!

--
  Best regards,
  Igor Morozov
  moroz at fastmail.com