|Main Archive Page > Month Archives > websecurity archives|
User requests password reset but enters wrong email address as the username:
"If the username is valid, you should receive an email with your password shortly."
however, what if user enters wrong email address? is it prudent to display something similar to the following message in this case?
"This is not a valid username."
The recon and intelligence gathering implications of the latter situation are potentially *huge* but how do you best handle when the user enters incorrect username?
Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn