| Main Archive Page > Month Archives > websecurity archives |
[WEB SECURITY] quick question on password reset 'best practices'
From: Joe White <joe_at_nospam>Date: Mon Jun 02 2008 - 17:37:56 GMT
To: "WASC Forum" <websecurity@webappsec.org>
User requests password reset but enters wrong email address as the username:
- Username = user email address
- user forgets password
- user goes to password reset page in the web app
- user enters email address as username and requests that his/her password be reset
- user then gets a message similar to the following:
"If the username is valid, you should receive an email with your password shortly."
however, what if user enters wrong email address? is it prudent to display something similar to the following message in this case?
"This is not a valid username."
The recon and intelligence gathering implications of the latter situation are potentially *huge* but how do you best handle when the user enters incorrect username?
any thoughts?
thanks,
joe
<<<>>>
Join us on IRC: irc.freenode.net #webappsec
Have a question? Search The Web Security Mailing List Archives: http://www.webappsec.org/lists/websecurity/
Subscribe via RSS:
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA