[estaseuropano]

Wow I just had to reset my password and am stunned how broken this process is.

1. Click reset password 2. You enter your email and new password (already here!) 3. A password reset request has been received for your Matrix account. If this was you, please click the link below to confirm resetting your password: [link] If this was not you, do not click the link above and instead contact your server administrator. Thank you. 4. Text page with the sentence "You have requested to reset your Matrix account password" but a button saying "Confirm changing my password" 5. Button clicked, password is set to the one entered in step 2.

This just absolutely is waiting for abuse. Every other site asks you to enter the new password after you have clicked the link. Here it's before you have clicked and there is no option to see or confirm the password entered initially. There is no indication that that is what's happening. In addition the word 'reset' is confused with 'change'.

Super easy for anyone - even the most techie user - to be fooled by this workflow. Someone else initiates the request and enters a new password, grandma gets the reset link and clicks it, password is changed and the other party can login and change also the email.

[chopin24]

Don’t worry. I already gave up on the sign-up flow when I entered my preferred username and password, then tapped register in the top right corner, only to be confronted with a prompt to —- again enter a username and password of my choice.

I would have to spend hours getting my family signed up for this thing.