Within a secure password reset function of a web application where the email address is the unique account identifier, what would be the best way to handle password reset requests where no matching account is found for the email address entered - i.e. the user hasn't created an account within the application.
For security reasons (to guard against 'valid account harvesting'), we're avoiding direct in-browser notification like No account exists with this email address
and instead using a generic If an account exists with this email address you will be sent an email with instructions to reset your password
. More on this can be read in this question Reset password, appropriate response if email doesn't exist?
If no account exists with the specified email address, should the user simply receive no email at all? Or would it be better to send a different email to the entered address along the lines of
A request was made using this email address to reset a user account password at www.example.com.
unfortunately no account has been created with this email address.
If you didn't request this, you can safely ignore this mail and take no action.
If you're trying to log into our site, you can go to www.example.com/register to create a new account.
edit: I'm interested here in what's the better experience for the user. On one hand, they are informed that they don't have an account and directed to the page where they can create one so uncertainty is reduced. On the other hand, it's been pointed out to me that malicious users can enter somebody's email into a site over and over and generate multiple emails (although we have CAPTCHA on the reset password form to guard against this being done by script).
No comments:
Post a Comment