Thursday, October 8, 2015

login - Reset password, appropriate response if email doesn't exist?


It is common on login forms to see "Email or password is incorrect" when the user types in their account details incorrectly instead of just "password is incorrect". This is, for among other reasons, because it is a security vulnerability to inform users that the Email is indeed registered to that site. You can read about it in this question.


However, in the case of a "Forgot password" reset page, there is only an input for the user to enter an Email to get a new password sent to them. If this email is not registered to my site and I put an error message saying "Sorry this email is invalid" then a malicious person can come in and try emails until they find one that doesn't give that error, meaning they've found an active account.


Is there any way to avoid divulging this potentially risky information?


I can only think of possibly limiting the number of attempts to put in an email as it shouldn't impede a normal user experience.




Answer



The easiest way to implement this is to say


If a matching account was found an email was sent to user@email.com to allow you to reset your password.

I've seen this on a few sites lately, though at the moment they are all escaping me. It struck me as a great way around this issue.


It confirms to them if they entered the email account they intended to, and if they have an account they'll be getting an email any time now.


No comments:

Post a Comment

technique - How credible is wikipedia?

I understand that this question relates more to wikipedia than it does writing but... If I was going to use wikipedia for a source for a res...