The new login process works like this: unless you’re accessing the service from a trusted IP address (which your account administrator has to update manually), then you’ll need to go through a verification process every time you want to login from a new computer or a new location. The verification involves clicking a link to send an email to your address on file, opening the email, clicking a link that registers your current IP and browser, and then logging in normally.

There are some major issues here. First, they’re presumably using a cookie to record which browser has been verified. So if you clear your cookies, you’ll have to get verified all over again. Second, a lot of people are on dynamic IPs, especially if they often work from remote locations or wireless devices. They will need to do the verification whenever they move to a new location and the IP changes, or possibly even if they just sign off and back on (since some wireless services assign a new IP for every session). A VPN can prevent this hassle, but I’m guessing many of salesforce’s SMB customers lack this sort of infrastructure. And what if you don’t have access to your corporate email account on the same computer, e.g. if you’re using a shared PC? Sounds like you’re out of luck.

Ironically, I think the biggest problem is that salesforce is training users to expect these official verification emails all the time. Aren’t these the same sort of things that potential attackers use to get people to click on and capture their private data? Previously, you could simply say “Delete any email about salesforce access, since it’s a scam.” Now, users have to distinguish between legitimate verification emails they are expecting, and fraudulent ones. This sounds easy enough. But in practice, people will quickly get accustomed to just clicking on the message, especially if they get the verification requests all the time. This change in user behavior will make tricking the average salesforce user even easier in the future.

In all, this is a bad move for salesforce in terms of usability. And by training users to click on verification emails, it might lead to even more compromised accounts as thieves learn to emulate the email format. I would much prefer to see salesforce implement the multi-factor authentication that banks use, i.e. asking you to answer more security questions right on the login screen if your computer isn’t recognized. Obviously, salesforce has its reasons for taking this approach, but I suspect it’s going to cause a lot more harm than good.

My request is very simple: Never email users their password. Why? In most cases, email is an insecure method of communication. Email can be intercepted. So every time you email a password to your users, there is a chance that the password could be compromised — along with all of the user’s data inside your web application.

This behavior isn’t limited to poorly-made sites. I have seen everything from airline frequent flyer sites to project management applications send an email with the username and password right after creating an account. Even more sites skimp on the “Forgot Password” feature. Instead of generating a new password, they just email you the existing one — further exposing the password to prying eyes.

Fixing this problem is straightforward:

• Never email users their password, either during initial account creation or subsequent password resets.
• When a user forgets their password, give them a way to generate a new one. Make this a temporary password that they have to change after logging in. You can even email this if you want, since it’s only valid for one-time use.
• If you really want users to have a copy of their password so they don’t keep asking for password resets, let them view their initial password or retrieve it later from a secure form on your site. Then they can print this out if they like, without compromising the security of the password. Just don’t email it.

As a final note, if the password features in your software are really difficult or impossible to change, at least have the decency to warn people in advance that you’re going to email them their password. Then they can decide if they want to use a different password or perhaps think a little bit harder about what their old one was.