[WEB SECURITY] quick question on password reset 'best practices'

White, Dain P dainw at wsu.edu
Mon Jun 2 13:56:33 EDT 2008


I pretty much never give any indication back to the user whether or not
the action they requested succeeded or failed. I normally thank them,
re-state / confirm for them what action they just performed, and provide
them with additional help or contact information "in case of problems". 

In the event of login failure, I would say only "there appears to be a
problem with either the username or password you provided, please
contact us for assistance". 

Dain White

-----Original Message-----
From: feedyourhead at gmail.com [mailto:feedyourhead at gmail.com] On Behalf
Of Joe White
Sent: Monday, June 02, 2008 10:38 AM
To: WASC Forum
Subject: [WEB SECURITY] quick question on password reset 'best
practices'

User requests password reset but enters wrong email address as the
username:

1)  Username = user email address
2)  user forgets password
3)  user goes to password reset page in the web app
4)  user enters email address as username and requests that his/her
password be reset
5)  user then gets a message similar to the following:

"If the username is valid, you should receive an email with your
password shortly."

however, what if user enters wrong email address?  is it prudent to
display something similar to the following message in this case?

"This is not a valid username."

The recon and intelligence gathering implications of the latter
situation are potentially *huge* but how do you best handle when the
user enters incorrect username?

any thoughts?

thanks,
joe

<<<>>>

------------------------------------------------------------------------
----
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA


----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA



More information about the websecurity mailing list