can't access my msgplus account

can't access my msgplus account - Printable Version

-Shoutbox (https://shoutbox.menthix.net)
+-- Forum: MsgHelp Archive (/forumdisplay.php?fid=58)
+--- Forum: Messenger Plus! for Live Messenger (/forumdisplay.php?fid=4)
+---- Forum: WLM Plus! Help (/forumdisplay.php?fid=12)
+----- Thread: can't access my msgplus account (/showthread.php?tid=96756)

can't access my msgplus account by BaTigolo on 02-12-2011 at 12:20 AM

i registered with the email : [ hossam.elbatigol@hotmail.com ]
then i changed the email to : [ batigolo0o@hotmail.com ]
then the site redirected me to the page : [ http://www.msgplus.net/SpecialPages/logon.aspx?returnurl=/Support.aspx ]
then i tried to log in but there was amessage : [ Your login attempt was not successful. Please try again. ]
and i tried to log in with the old email but the same message
why ?

RE: can't access my msgplus account by BaTigolo on 02-24-2011 at 03:17 AM

solution please.....

RE: can't access my msgplus account by Sunshine on 02-24-2011 at 09:26 AM

You wrote a comma instead of a dot in batigolo0o@hotmail.com, that's why it did not recognise your email adress. I've changed the comma to a dot now and generated a new password just in case you forgot your pw too. You can change the pw into anything you want (I can not see what it is or was set too). You should receive an email about the password. If not, get back to me here.

RE: can't access my msgplus account by CookieRevised on 02-24-2011 at 05:29 PM

quote:
Originally posted by Sunshine
You wrote a comma instead of a dot in batigolo0o@hotmail.com, that's why it did not recognise your email adress.

Isn't that a bug in the system then?
Because AFAIK commas are not allowed in email addresses, or at least not in the place where it was.
Maybe a better/stricter email validator would prevent such booboos

RE: RE: can't access my msgplus account by BaTigolo on 02-25-2011 at 04:15 AM

quote:
Originally posted by Sunshine
You wrote a comma instead of a dot in batigolo0o@hotmail.com, that's why it did not recognise your email adress. I've changed the comma to a dot now and generated a new password just in case you forgot your pw too. You can change the pw into anything you want (I can not see what it is or was set too). You should receive an email about the password. If not, get back to me here.

really thanks sooooooooo much

RE: RE: can't access my msgplus account by V@no on 02-25-2011 at 05:59 AM

quote:
Originally posted by CookieRevised

quote:
Originally posted by Sunshine
You wrote a comma instead of a dot in batigolo0o@hotmail.com, that's why it did not recognise your email adress.
Isn't that a bug in the system then?
Because AFAIK commas are not allowed in email addresses, or at least not in the place where it was.
Maybe a better/stricter email validator would prevent such booboos

indeed. And if you guys are planning update the account-related script, please consider change the way "forgot password" code works:
after user submitted their email address, send a link (with some unique hash/id, which could be a MD5 hash from old email + new email, granted it would require an aditional field in the users database). The user then will require visit that address where they can change their password.
This method will help if: a) email address is no longer valid and later user remember their password. b) somebody else submitting your email, therefore messing up your current password.

The same could be applied to email change routine. It would prevent from accidents as in this topic.

RE: can't access my msgplus account by CookieRevised on 02-25-2011 at 08:16 PM

quote:
Originally posted by V@no
after user submitted their email address, send a link (with some unique hash/id, which could be a MD5 hash from old email + new email, granted it would require an aditional field in the users database). The user then will require visit that address where they can change their password.

... although it shouldn't be a hash of the old and new email address because that can easily be guessed, calculated and abused too. It should be like in any other 'forgot pwd' system: just a random GUID, impossble to guess, and which expires after a very short time. Otherwise it will not solve your point B either.

And as for your point A: that can't be solved like that in a secure way. The user must always have access to the email address he provided when he signed up, otherwise he is out of luck. The ability to enter an alternative email address to send the link to, without any further validation, is a very massive 'no-no' and an open door for hacking. Stuff like this is usually solved by setting an alternative email address in your user profile _after_ you have successfully signed in (thus with the correct password); it is never asked, and should never be asked when you click a "forget pwd" link. The user should be able to select the option to send the link to his lternative email though, provided he set one up before.

Either way, yes, that "forget pwd" system should indeed be revised too.