Password reset

@Deadban said in #4:
> First change the email, lichess.org/account/email, then change the pw, lichess.org/account/passwd.

Hi, I do not see, if I can change the e-Mail, when I cannot log in. ......

So all users, who do not have still access to the e-Mail they set up LICHESS once upon a time, have to set up an new account?

I just want to know, as we 200 users in our group of whom a lot had a weak password and do not have the e-Mail Adress, where they created LICHESS Account, some month/years ago. They ask me how to proceed....

I would advice LICHESS to let the users log in only one time again, change their e-Mail adress to a valid one/existing one and then force them so set a new "strong" password if applicable. Otherwise there will be a lot of new registrations and "new" useres and a bunch of "dead" accounts, which have to be processed for a long time. I do not know if LICHESS cancels users after some years, if there is no activity, like some e-Mail providers do.

@gbissinger said in #12:
> I would advice LICHESS to let the users log in only one time again, change their e-Mail adress to a valid one/existing one and then force them so set a new "strong" password if applicable.
I agree with that. But is it possible that lichess will do it? Can you give users a chance?

First off, i wonder why i need a "secure password" on a game site. What is to lose here? Some made up rubber points? I can understand enforcing secure passwords in a professional environment, like office, banking, etc. - but lichess?? This is not an atomic power plant and any harm a possible hijacker could do to this account by playing under my name is perhaps less harmful than what i do to my rating myself.

I had to change my password too and was only saved by the fact that i had forgotten to reconfigure Firefox to clear all session data on exit on one system. Shouldn't lichess block people who don't have healthy and secure surfing habits anyway? Why do I still have my account.

Joke aside, isn't it the decision of the user to be as vulnerable or non-vulnerable as he pleases? And, given that you force users to live up to your standards, shouldn't you forbid them to make bad chess moves too? Like, we install a committee of Grandmasters, supported by an array of computers and if they think your move was suboptimal you are banned, how about that?

But to end all those insecurities, here is my suggestion:

- passwords have to have 76 characters minimum, 10 of which are not possible to enter via the keyboard.
- Strictly 4-factor authorisation: password, RSA-token, personal ID and the armed guard at the entrace must personally know you
- for security reasons one is not allowed to use a web browser or play over the internet at all. Playing only allowed on location.
- Before every game you have to provide two different certifications of a thorough health check to avoid unnecessary health risks for you by playing.

And finally: a qualified psychiatrist needs to make sure you are not crazy.

@gbissinger said in #12:
> I would advice LICHESS to let the users log in only one time again, change their e-Mail adress to a valid one/existing one and then force them so set a new "strong" password if applicable.

Yes, just once is enough.

@gbissinger said in #12:
> I would advice LICHESS to let the users log in only one time again, change their e-Mail adress to a valid one/existing one and then force them so set a new "strong" password if applicable.

If the actions by Lichess are motivated by the concern that the password may already be compromised, perhaps this isn't appealing since it can't confirm the user is the rightful one. The best evidence for Lichess in that case is through the email address the user chose themselves. It's pretty standard for all sorts of online accounts that losing access to the associated email can lead to all sorts of problems. It's just the risk you take when using a throw away account or don't keep track.

I would like to add that, while the weak password blocking is awkward and perhaps unnecessary, I was able to regain access to my account by simply asking for help: contact@lichess.org

Lichess staff were very helpful, perhaps more so that can be expected from a free website. Thank you! ️

@whycantilogin said in #5:
> I wish Lichess would fix this! I lost a few nice studies because this new “feature” locked me out of my previous account.
>
> Who would be able to revert this policy?
Lichess themselves, nobody else.

@whycantilogin said in #17: I will forward this to my groups. Thank you.