Invited users are ignoring the set password email

(Keith Davis) #1

Is there no way to do this without using the password reset email? People are used to the pattern of being able to change their password from within this account.

If not, why this deviation from the established pattern?

The main reason this is a problem is that the initial login is very confusing, people don’t know they need to change their password or they get impatient and send a second reset that invalidates the first and that also confuses people.

Is there any way to handle this?

(Mittineague) #2

A possible problem with changing passwords from “within” is that if the new password is lost or forgotten there is no way back in.

With email confirmation the original can still be used

Fells like a six of one, half dozen the other situation

(Keith Davis) #3

I’m not sure what you mean. Most systems allow a password reset email, but it’s not the primary mechanism. We did some user testing and at least 2 of the users, one who is pretty technical got confused by this process.

The biggest problem with this system is the way it occurs for new sign-ups. The system logs you in with no password, then if you don’t realize you have to use a second email to change your password, then the first email can time out or if you click the reset password email while signed in the first time, then it invalidates the first email and then you have to know to use only the second email.

The fact is that this diverges from the accepted norm and causes user confusion.

(Jeff Atwood) #4

Are you referring to invites? I can’t understand what you have written. Users are prompted for password at signup unless they use Google, Facebook, etc.

(Keith Davis) #5

Yes, we new users by invite only, but I’m not sure what you are asking.

We want users to be able to change their password from within their user account on the website, the current method is causing users confusion.

(Lew Grothe) #6

We have a site that people are added by invite only (no signups, no other authenticator).

The specific situation we ran into is the following:

  1. Person is invited by a community member.
  2. Since the invite is from a member, a link is sent which places the invitie directly into the forum.
  3. The first time the invitie follows the invitation link, Discourse sends them a “change password” email.

That’s where we’ve had confusion. New members don’t notice or ignore the change password email and try to go back in with the previous link which then tells them they need to reset their password.

If they get another change password email (forgetting or ignoring the first one), then use the original password email, it will have been expired…

Anyway, I guess what we’d like is that instead of #3 above, on initial access of the site, you simply set the password off the invite response link.

(Jeff Atwood) #7

The goal of invites is to get people logged in and posting immediately. We don’t have plans to add friction to the invite accept process by popping additional input dialogs at this time. You could sponsor the feature if you wish by purchasing a business hosting plan.

We did improve invites in 1.8 to include letting people specify username, password, etc – or they can skip.

(Mittineague) #8

Thinking a bit more on it, I guess as long as an “I forgot” is on the login modal even if the password was editable in Preferences and then forgotten there would still be the email as a fallback.

As to new members missing the “you need to set a password”, I haven’t checked, but IIRC the copy was improved to lessen that possibility.

(Felix Freiberger) #9

I think you can reduce this pain by setting invite passthrough hours to a few days, giving users time to react to the original please-set-a-password mail.

(Maybe this setting should have a non-zero default.)

(BM) #10

Hi all,
Hoping a Discourse expert can help out with a similar issue. I’m an admin on an invite-only forum, with some users that are not tech savvy.

I have invited a user by generating an invite link and emailing it, the user follows this link and then proceeds to set up their account. They click the ‘Set Password’ button, however this email is not received. They have some unusual spam guard program that’s probably blocking it, and although I’ve tried to troubleshoot this as well, I’ve no luck so far with the usual junk folder/safe domain/settings etc.

Is there a way for admins to generate the link created in the ‘Set Password’ email, or any other way I can manually get this information to the user?

Thanks in advance.

(Allen - Watchman Monitoring) #11

I wonder what the current state of affairs is with this…

My hope would be that resetting one’s password wouldn’t require the use of the Set Password link … since I’m sure it’s ignored by many.

I run four private Discourse and while I haven’t heard any complaints, I don’t know how many people aren’t participating because they haven’t put much effort into getting logged in [after missing/ignoring the set password email]

(Kyle McAlpine) #12

We’re experiencing that users are not receiving this set password email after clicking the invite link.

Anyone know why (@codinghorror perhaps)?

Running v1.6.0.beta12 +45.

EDIT: I’ve actually just noticed that the instructions for setting password that you’re talking about may be the one in the message sent via Discourse in the welcome message.

I’m talking about making the Invite Password Instructions email being sent. How do I get that to happen on user invite acceptance? Is it some config thing? Can’t find it anywhere.

Also, how do I customise the message that welcomes users?

Email to set password not sent out after invitation
(Stephen Chung) #13

Yes, I’m running an invite-only forum and the set-password emails are all caught by spam filters. IMHO this issue must be resolved in order to have a reasonable user experience.

(Jeff Atwood) #14

Have you used the “send test email” function via to verify you have email configured correctly on your server?

(Stephen Chung) #15

Of course. That’s when I first found out about this issue. Now my company’s spam filter will let the test email through, it continues to quarantine the set pwd email.

I have whitelisted the sender domain on the spam filter to solve this but really not a great idea security wise.

Also I can’t control other peoples spam filters…

(Jeff Atwood) #16

OK, if you are clean on there’s nothing to be done, really…

You could go to Admin, Customize, Text to change the copy in the change password email if it is some “magic word” that the company’s spam filter is blocking on.

(Stephen Chung) #17

That’s sounds like a workable idea… Let me try it out and set the texts to something far from spam like…