On Mon, Aug 23, 2010 at 2:06 PM, Max Semenik <maxsem.wiki(a)gmail.com> wrote:
This point is debatable:) At least we inform people
that they should
provide valid emails if they want to reset their passwords.
Just today Gmail put a message at the top of the screen complaining
that I didn't have a phone number or backup e-mail set to recover my
password, and nagged me to do so. I guess it only does that to people
who have been using it for X months, have more than Y MB of mail
stored, something like that. Maybe we should nag established users
without confirmed e-mail to set one, once in a while. (Doesn't help
if they can't access the address anymore, though . . .)
That would require some effort, and will add another
cookie that
stores expiry time. A simple increase in time will be a fine solution
until a complex scheme is implemented (do we want it at all? more
cookies=more bandwidth). Additionally, there's still no good reason to
keep expiry time short anyway.
I don't see any reason to increase it to 90 days -- if we increase it
at all, may as well make it not expire.