This is simply a suggestion to add an e-mail confirmation before terminating an account. Currently, all you have to do is go to your account settings, and click the “I want to delete my account” link. Then, you have to click the “Yes, next step” button on the bottom of the page, enter your password, and your account is deleted. Really?

If somebody successfully hacked into your account, deleting it shouldn't be this easy. Adding an e-mail confirmation (sending an e-mail to a specified address, probably the one used to create the account) would increase security and make it harder for a hacker to delete your account.

Now this does come with an inherent flaw; what happens if you lose your email password? Well, there is generally a “forgot password” option attached to email services that allows you to recover a password in a variety of ways. If you don't have this set up, or are using a service without a “forgot password” option, then that's you own fault for forgetting your password; it's not related to Scratch, or the deletion of your account.

Original post wrote:

Title.

I don't visit the site much anymore, but, just out of curiosity, I went onto my now defunct NowhereCollabs account and decided to see what happened when I tried to delete it.

The only thing separating you and your account being deleted are two buttons and a password field.

Really? If someone were to hack into your account, this makes destroying your account forever ridiculously easy. A two day “sign-in-to-keep-your-account” period isn't going to stop most hackers. If they can crack your password once, and do it invisibly (read; no comments, no projects moved to trash, etc.), most will keep doing it until they succeed.

This method is incredibly flimsy and easy to get through, so I suggest adding an e-mail conformation before deleting an account, and having this conformation expire after two days or so, and upon acceptance, delete the account as the user wanted. This will make it harder for hackers to delete accounts maliciously, and make account deletion for those actually wanting to a bit faster.

UPDATE; We really should have an e-mail confirmation for e-mail changing, too, though that might need to be fiddled with as well, if you're changing your e-mail if you forgot the password to it. (Submitted in part by both Firedrake969 and scratchisthebest. Thanks, guys!)

Supporters (~30);

~snip, because it really doesn't matter~

EDIT 4/26/2017; New topic got merged with old one, bumped so the only topic could resurface; I didn't bump this post because I didn't want to risk necroposting.

EDIT 4/29/2017; No, this does not mean you simply enter your e-mail like you do your password to delete your account. It means that a confirmation e-mail is sent to the specified address, probably the one you used to make your account.

Support. Security of others is important.

mario91100_TEST wrote:

Title.

I don't visit the site much anymore, but, just out of curiosity, I went onto my now defunct NowhereCollabs account and decided to see what happened when I tried to delete it.

The only thing separating you and your account being deleted are two buttons and a password field.

Really? If someone were to hack into your account, this makes destroying your account forever ridiculously easy. A two day “sign-in-to-keep-your-account” period isn't going to stop most hackers. If they can crack your password once, and do it invisibly (read; no comments, no projects moved to trash, etc.), most will keep doing it until they succeed.

This method is incredibly flimsy and easy to get through, so I suggest adding an e-mail conformation before deleting an account, and having this conformation expire after two days or so, and upon acceptance, delete the account as the user wanted. This will make it harder for hackers to delete accounts maliciously, and make account deletion for those actually wanting to a bit faster.

SUPER DUPER SUPPORT

mario91100_TEST wrote:

Title.

I don't visit the site much anymore, but, just out of curiosity, I went onto my now defunct NowhereCollabs account and decided to see what happened when I tried to delete it.

The only thing separating you and your account being deleted are two buttons and a password field.

Really? If someone were to hack into your account, this makes destroying your account forever ridiculously easy. A two day “sign-in-to-keep-your-account” period isn't going to stop most hackers. If they can crack your password once, and do it invisibly (read; no comments, no projects moved to trash, etc.), most will keep doing it until they succeed.

This method is incredibly flimsy and easy to get through, so I suggest adding an e-mail conformation before deleting an account, and having this conformation expire after two days or so, and upon acceptance, delete the account as the user wanted. This will make it harder for hackers to delete accounts maliciously, and make account deletion for those actually wanting to a bit faster.

yaas pl0x

Support very very much

I would support this exept for one reason. They could switch the email adress to theirs!

customhacker wrote:

I would support this exept for one reason. They could switch the email adress to theirs!

That's actually a good point. What if we had a confirmation for switching e-mail, too?

Regardless, I support.

DaSpudLord wrote:

customhacker wrote:

I would support this exept for one reason. They could switch the email adress to theirs!

That's actually a good point. What if we had a confirmation for switching e-mail, too?

Regardless, I support.

I support that.

DaSpudLord wrote:

customhacker wrote:

I would support this exept for one reason. They could switch the email adress to theirs!

That's actually a good point. What if we had a confirmation for switching e-mail, too?

Regardless, I support.

How would you confirm switching the email? An email confirmation probably wouldn't work

Support anyways

Firedrake969 wrote:

DaSpudLord wrote:

customhacker wrote:

I would support this exept for one reason. They could switch the email adress to theirs!

That's actually a good point. What if we had a confirmation for switching e-mail, too?

Regardless, I support.

How would you confirm switching the email? An email confirmation probably wouldn't work

Support anyways

Send an e-mail to the old e-mail account and have the person confirm from there.

Firedrake969 wrote:

How would you confirm switching the email? An email confirmation probably wouldn't work

It would.

If I guess User1's password (say it's hunter2), I can log into their account and delete their account (by typing in hunter2)

With this suggestion only, I would be able to login to their account using hunter2, change their email to my email, and then delete their account that way. It doesn't actually prevent anything

If I needed to send an email to the old email address before I could change my email, it would then be impossible unless the password to their email is also guessed. (And if that happens you probably deserve it for using the same password.)

BUT, if I'm changing my email because I lost the password to the old one, I can't change my Scratch email legitimately any more and that's dumb.

BUT, if I'm changing my email because I lost the password to the old one, I can't change my Scratch email legitimately any more and that's dumb.

Yeah, that's what I was talking about - it would solve a problem, yes, but it would also create a problem.

Firedrake969 wrote:

BUT, if I'm changing my email because I lost the password to the old one, I can't change my Scratch email legitimately any more and that's dumb.

Yeah, that's what I was talking about - it would solve a problem, yes, but it would also create a problem.

If you lost the password to your e-mail account, then that's your fault for not keeping better track of it.

I support if it's option because I wouldn't use this but clearly others would.

Alright, I'm gonna make myself a little more clear since I wrote that post in the morning.

Support. There needs to be a better way to protect account deletion. The hacker already has your password, so destroying it is an easy task.

Support. I would also like this to apply to password changes, so that it's harder to make an account useless by malevolent password changes.

DaSpudLord wrote:

Firedrake969 wrote:

BUT, if I'm changing my email because I lost the password to the old one, I can't change my Scratch email legitimately any more and that's dumb.

Yeah, that's what I was talking about - it would solve a problem, yes, but it would also create a problem.

If you lost the password to your e-mail account, then that's your fault for not keeping better track of it.

And even then, some e-mail services permit using another e-mail to send the password to in the case that you forget the password to your main e-mail, but that simply makes the problem recursive; if you forget the password to the e-mail that you sent the password reset/reminder to, what then?

mario91100_TEST wrote:

DaSpudLord wrote:

Firedrake969 wrote:

BUT, if I'm changing my email because I lost the password to the old one, I can't change my Scratch email legitimately any more and that's dumb.

Yeah, that's what I was talking about - it would solve a problem, yes, but it would also create a problem.

If you lost the password to your e-mail account, then that's your fault for not keeping better track of it.

And even then, some e-mail services permit using another e-mail to send the password to in the case that you forget the password to your main e-mail, but that simply makes the problem recursive; if you forget the password to the e-mail that you sent the password reset/reminder to, what then?

In that case, I guess you could set it up so that both emails are linked- if you forget one, you can use the other. And if you forget both at the same time… Then you really screwed up.

Additionally, most e-mail services have security questions, where you can set up an answer to a security question, such as “What is your mother's maiden name?” or “What was the name of your first pet?” and if you answer that correctly, then it lets you reset the password. Even other e-mail services will text you a link to reset your password, or a temporary alternate password.

DaSpudLord wrote:

Firedrake969 wrote:

BUT, if I'm changing my email because I lost the password to the old one, I can't change my Scratch email legitimately any more and that's dumb.

Yeah, that's what I was talking about - it would solve a problem, yes, but it would also create a problem.

If you lost the password to your e-mail account, then that's your fault for not keeping better track of it.

What if somebody who had your old email changed its password and now you can't get in to change your Scratch email to your new email?

liam48D wrote:

DaSpudLord wrote:

Firedrake969 wrote:

BUT, if I'm changing my email because I lost the password to the old one, I can't change my Scratch email legitimately any more and that's dumb.

Yeah, that's what I was talking about - it would solve a problem, yes, but it would also create a problem.

If you lost the password to your e-mail account, then that's your fault for not keeping better track of it.

What if somebody who had your old email changed its password and now you can't get in to change your Scratch email to your new email?

Why would you give someone your email account?