On Mon, Aug 23, 2010 at 2:06 PM, Max Semenik maxsem.wiki@gmail.com wrote:
This point is debatable:) At least we inform people that they should provide valid emails if they want to reset their passwords.
Just today Gmail put a message at the top of the screen complaining that I didn't have a phone number or backup e-mail set to recover my password, and nagged me to do so. I guess it only does that to people who have been using it for X months, have more than Y MB of mail stored, something like that. Maybe we should nag established users without confirmed e-mail to set one, once in a while. (Doesn't help if they can't access the address anymore, though . . .)
That would require some effort, and will add another cookie that stores expiry time. A simple increase in time will be a fine solution until a complex scheme is implemented (do we want it at all? more cookies=more bandwidth). Additionally, there's still no good reason to keep expiry time short anyway.
I don't see any reason to increase it to 90 days -- if we increase it at all, may as well make it not expire.