It is common on login forms to see "Email or password is incorrect" when the user types in their account details incorrectly instead of just "password is incorrect". This is, for among other reasons, because it is a security vulnerability to inform users that the Email is indeed registered to that site. You can read about it in this question.
However, in the case of a "Forgot password" reset page, there is only an input for the user to enter an Email to get a new password sent to them. If this email is not registered to my site and I put an error message saying "Sorry this email is invalid" then a malicious person can come in and try emails until they find one that doesn't give that error, meaning they've found an active account.
Is there any way to avoid divulging this potentially risky information?
I can only think of possibly limiting the number of attempts to put in an email as it shouldn't impede a normal user experience.
Answer
The easiest way to implement this is to say
If a matching account was found an email was sent to user@email.com to allow you to reset your password.
I've seen this on a few sites lately, though at the moment they are all escaping me. It struck me as a great way around this issue.
It confirms to them if they entered the email account they intended to, and if they have an account they'll be getting an email any time now.
No comments:
Post a Comment