-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Thomas Dalton wrote:
Is there any reason we don't suggest for merging accounts with matchin names but differing emails?
I'm pretty sure it does. If the email matches, it should automatically merge, since if you control the email account, you can always change the password if you don't know it. It's only when neither the email or password match that it asks.
However, I'm not really sure the password matching should be taken as proof that it's the same account, it could be a coincidence (especially if people are using bad passwords, eg username backwards).
It's very unlikely that two people with the exact same username will pick the exact same lame password.
If they do, then they could have logged into each others' accounts anyway -- so it's high time for them to figure it out. ;)
E-mail matching should be required. Otherwise, ask for the password. If they know it's their account and log on with the same password, excellent, if it's not their account they won't know the password (just because it's the same as their password doesn't mean they know it), and the account shouldn't be merged. Yes, it's likely people will try their password just in case it's their account and they've forgotten, but we should leave password guessing to the user, the code shouldn't be doing any guesswork.
There's no guesswork -- either you can log into the account or you can't.
- -- brion vibber (brion @ wikimedia.org)