I visited Zipcar to see what car makes and models were available in my neighborhood. Alas, I couldn’t log in, because I couldn’t remember my password.
It, apparently, wasn’t one of my standard web passwords, nor was it in 1Password. (I haven’t logged in to the site in over a year.) So, I clicked their password-reset link…
At the first screen, I entered my e-mail address, and clicked
Submit. This form’s HTML was trivial:
<form class="generic-form" method="post" action="user-login" id="login_form" name="login"> <fieldset class="dp_box"> <h2>Forgot your username or password? We can help.</h2> Please verify yourself by providing your email address below: <ul> <li> <label for="email">Email Address:</label> <input type="text" id="email" name="email" size="20" /></li> <li> <div class="form-action-buttons"> <span class="graphical-btn"><button type="submit" class="submit">Submit</button></span></div></li> </ul> </fieldset> </form>
Their server redirected me, I kid you not, to this URL:
There are two problems here. One, their password-reset sequence seems to be broken. Two, that URL is horrific.