Comment by ajross
3 years ago
> It should never have blocked an account with a valid password when the recovery email was never validated.
Should it not? Accounts get "blocked" because of reasonable suspicion that they're compromised. It's not just something they do to annoy you. The overwhelming majority of these situations are surely just password attempt exhaustion. You or someone else tried a little too hard to log in with a bad password.
So... your solution is to disallow that security layer for people who have typos in their emails and never went through the recovery process? That sounds like it's going to hurt and not help.
I mean, yes. It sucks to lose access to an email account. It sucks immensely more to be hacked. And to some extent those requirements are in conflict. There are tradeoffs to be made.
> of reasonable suspicion that they're compromised
Or more likely an automated unreasonable suspicion
> Should it not?
Yes, it should never ask you for a confirmation that is impossible, this is a simple nonsense of design. Also, months is not a useful tradeoff