After requesting a password reset, an email was sent to my inbox. It read:
You are receiving this email because a request has been submitted to change your password. [snip] Use the following link to change your password. It will expire in 72 hours. https://thisurl/reset/063D8C27-5056-9214-058CB95EF7BAAAA/Powered by thatjob
The first thing I noticed was the broken URL (which had leaked into “powered”). I copied the URL up to the “/”, and got a 404 not found error. I then removed the “/” and was able to reset my password.
How was this tested? Did anyone “actually” test the URL in the email? Was it tested on a number of email clients, including webmail, text, and html?
Who made the decision to have the URL on the same line as text. Where did the offending “/” come from?
If a password reset email does not work (on the first click) does it inspire confidence in the rest of the site? Not really.