[WEB SECURITY] quick question on password reset 'best practices'

Joe White joe at cyberlocksmith.com
Mon Jun 2 13:37:56 EDT 2008

User requests password reset but enters wrong email address as the username:

1)  Username = user email address
2)  user forgets password
3)  user goes to password reset page in the web app
4)  user enters email address as username and requests that his/her
password be reset
5)  user then gets a message similar to the following:

"If the username is valid, you should receive an email with your
password shortly."

however, what if user enters wrong email address?  is it prudent to
display something similar to the following message in this case?

"This is not a valid username."

The recon and intelligence gathering implications of the latter
situation are potentially *huge* but how do you best handle when the
user enters incorrect username?

any thoughts?



Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn

More information about the websecurity mailing list