Skip to main content

I have a question about the email notification users get when a new account is created for them. The notification currently gives user a link to “reset” their password. I am worried this is confusing, as users are accessing the platform for the first time and have never created a password before, so they have no password to “reset.” Rather, I would like all messaging to refer to “creating a password.” 

Does anyone have advice on how to configure messaging to be centered around “creating a password,”  rather than resetting a password? 

 

Email received by new user: 

After user clicks on “Reset your password” link:

 

 

@meaganpI totally agree with you.  Having a ‘reset password’ is very confusing. The problem is that emails can be intercepted and “live” passwords are not a good thing to have.

The best alternative that I’ve found is to use a standard temporary password (like Changeme1), and not use the password short code. Then be sure to configure the account to force a password reset on the first login.

Doesn’t solve the security issues 100% but it does help with the confusion.


@KMallette Thank you so much! You are always so helpful. 


you can change the language with the Localization app...some examples of what you can change

 


@meaganp is there a way for you to change the accepted answer?  @lrnlab has provided a much more on point answer than the one that currently shows up as the “best answer” and it’s better for security too.


I agree. It would be very helpful if Docebo could create the option to set a temporary standard first log in option for large numbers of users (other than potentially by CSV file upload). With so many new users entering our system with varied degrees of comfort with technology, the process of explaining the initial reset password process in both the desktop and Go.Learn App formats has been very challenging.

I did change the wording in our notification and also created a document to walk people through the options and steps for password reset with screenshots. We also created a video tutorial to share with new users. Although helpful tools for our users, this was a time consuming process and it seems there should be an easier way

Docebo - please add this feature as it would be so helpful! Thank you.


Good topic, thanks for the input yall. We were using the solution of giving people a temp password and making them change it, but when we installed our Salesforce integration and user sync (which works great) -- the only downside is the newly created users can’t have a password set by the Salesforce contact sync.

 

 

In our “welcome email”, i used HTML and the shortcode suser_password]… but i manually set the text to “Set Your Password”.

 

Your username is: client15
Please click the following link to login and Set Your Password.

 

 

which takes you tot he Recover password page on the login screen

 

now if i can just change “Recover password” to “Set your password for the first time or Recover password” then i’ll be all set!


 

now if i can just change “Recover password” to “Set your password for the first time or Recover password” then i’ll be all set!

You can change that in the Localization Tool.  We are doing some similar things to try to make this convoluted process make sense.  

 


Very good topic. The workflow is far from optimal. Since we cannot customize these notifications, we are facing issues with our biggest customers. They can live with a password reset not being customized, but if this happens at the start of a user’s journey, it’s understandably a different thing… 😒

The workflow is currently:

User receives link to reset password page > User enters username > User receives a link to set password > User set password

If we could at least skip the first two steps and get directly to a link to set password, this would be a great step forward. 😊

I just wanted to check if an idea already exists for this, but I was unfortunately too late. 😀

 


@meaganpI totally agree with you.  Having a ‘reset password’ is very confusing. The problem is that emails can be intercepted and “live” passwords are not a good thing to have.

The best alternative that I’ve found is to use a standard temporary password (like Changeme1), and not use the password short code. Then be sure to configure the account to force a password reset on the first login.

Doesn’t solve the security issues 100% but it does help with the confusion.

@KMallette How do you create a standard temporary password (like Changeme1). We bring all our users in through API and I’m trying to figure out if there’s a standard password. 


@jessica.alexander you will need to add a password column in your input file and pre-populate it with your default password.


Oh yes that makes sense. thank you!


happy to help.


@meaganpI totally agree with you.  Having a ‘reset password’ is very confusing. The problem is that emails can be intercepted and “live” passwords are not a good thing to have.

The best alternative that I’ve found is to use a standard temporary password (like Changeme1), and not use the password short code. Then be sure to configure the account to force a password reset on the first login.

Doesn’t solve the security issues 100% but it does help with the confusion.

@KMallette How do you create a standard temporary password (like Changeme1). We bring all our users in through API and I’m trying to figure out if there’s a standard password. 

Just a little word of caution here. As discussed above, having a standard password hard-coded in the notification involves an information security risk, meaning that every personal information for a user - and eventually other users - are at risk. It doesn’t mean that you should not take the risk. I know how hard those issues can be to resolve. But we should be aware of it and develop processes accordingly. Here are some examples:

  • Limit the scope of this process to “simple” user (power users and superadmin have more permissions on the system and should be handled with more care)
  • When you create users, only send the most necessary information to the LMS, leaving more details to be filled out by the user.

A good practice is to imagine what would happen if someone was able to intercept the password, use the account and see the information about the user. Besides being able to finish all learning content assigned to this user, what could go wrong? 🙂


Reply