After requesting a password reset, an email was sent to my inbox.  It read:

You are receiving this email because a request has been submitted to change your password. [snip] Use the following link to change your password. It will expire in 72 hours. https://thisurl/reset/063D8C27-5056-9214-058CB95EF7BAAAA/Powered by thatjob

The first thing I noticed was the broken URL (which had leaked into “powered”).  I copied the URL up to the “/”, and got a 404 not found error.  I then removed the “/” and was able to reset my password.

How was this tested?  Did anyone “actually” test the URL in the email?  Was it tested on a number of email clients, including webmail, text, and html?

Who made the decision to have the URL on the same line as text.  Where did the offending “/” come from?

If a password reset email does not work (on the first click) does it inspire confidence in the rest of the site?  Not really.