I've never found myself in a situation where I REALLY need to reset a password to a free web service.
I've had to reset school and bank related passwords, which I've done in person or over the phone.
I have reset passwords for free web services, but I could've lived with just making a new account. If I forgot my password, it's because I'm not using it - if it's free and I'm not using it, chances are I don't really care about it.
I've never had to reset my password for free web services I CARE about, because I use them regularly.
What I'm getting at is - do free services really need unverified password resets? If it's a paid service, it's easier to justify the cost of phone support.
If you keep your company's business in a Basecamp account, and you lose the password, what are you going to do? Give up and spend the money for a new Basecamp account?
People forget passwords all the time. Spend some time in an F2k IT department; they have whole teams of people and actual application development projects dedicated to trying to solve this one problem.
Basecamp isn't free, so they can likely devote a few more resources to a slightly more stringent password reset system than, say, icanhascheezburger.com.
What I was trying to put forward for discussion is the idea that if a site can't do password resets "properly" (by phone? or something more secure than the example given in the article) then maybe it shouldn't do it at all, and that this might not be as catastrophic for the user as it seems, since the site is less likely to be essential.
Looking at what I use online:
- all my server stuff: Extremely important, but it's my own problem.
- online banking, bills, etc: Important stuff, not free. I'd be really upset if I got permanently locked out, but all can be reset by phone.
- Digg, Reddit, News.YC, even Facebook: Not important stuff, free. I wouldn't really care if I have to make another account.
- Gmail: This is the only one which doesn't fit. However, I use it daily, so I'm not going to forget my password. On the flip side, if I used it only once a year, it obviously wouldn't be that important to me.
Yeah, I know it's not very realistic, and it's probably not something I'm willing to practice myself. Consider it a thought experiment.
I've had to reset school and bank related passwords, which I've done in person or over the phone.
I have reset passwords for free web services, but I could've lived with just making a new account. If I forgot my password, it's because I'm not using it - if it's free and I'm not using it, chances are I don't really care about it.
I've never had to reset my password for free web services I CARE about, because I use them regularly.
What I'm getting at is - do free services really need unverified password resets? If it's a paid service, it's easier to justify the cost of phone support.