[WEB SECURITY] quick question on password reset 'best practices'

[James Landis]

I recommend using the same exact message for invalid addresses to
prevent account harvesting. Of course, you'll want to make sure you
don't ACTUALLY send emails to accounts that aren't already on file...

On Mon, Jun 2, 2008 at 10:37 AM, Joe White <joe at cyberlocksmith.com> wrote:
> User requests password reset but enters wrong email address as the username:
>
> 1)  Username = user email address
> 2)  user forgets password
> 3)  user goes to password reset page in the web app
> 4)  user enters email address as username and requests that his/her
> password be reset
> 5)  user then gets a message similar to the following:
>
> "If the username is valid, you should receive an email with your
> password shortly."
>
> however, what if user enters wrong email address?  is it prudent to
> display something similar to the following message in this case?
>
> "This is not a valid username."
>
> The recon and intelligence gathering implications of the latter
> situation are potentially *huge* but how do you best handle when the
> user enters incorrect username?
>
> any thoughts?
>
> thanks,
> joe
>
> <<<>>>
>
> ----------------------------------------------------------------------------
> Join us on IRC: irc.freenode.net #webappsec
>
> Have a question? Search The Web Security Mailing List Archives:
> http://www.webappsec.org/lists/websecurity/
>
> Subscribe via RSS:
> http://www.webappsec.org/rss/websecurity.rss [RSS Feed]
>
> Join WASC on LinkedIn
> http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
>

----------------------------------------------------------------------------
Join us on IRC: irc.freenode.net #webappsec

Have a question? Search The Web Security Mailing List Archives: 
http://www.webappsec.org/lists/websecurity/

Subscribe via RSS: 
http://www.webappsec.org/rss/websecurity.rss [RSS Feed]

Join WASC on LinkedIn
http://www.linkedin.com/e/gis/83336/4B20E4374DBA