yellowled Posted April 17, 2014 Share Posted April 17, 2014 Something I'd never realized myself, but a client of mine stumbled upon it: The client's site uses the Forgot Password module. Clicking the link in the login screen opens up a screen with an input field where users are supposed to enter their username. For some reason, the client thought she was supposed to enter her email address. I suppose she read the info text there in a hurry (it does mention that users need to have a registered email address). The thing is: if you enter an email address in said input field and hit the send button, it still displays the info message saying that you'll receive an email with further instructions as to how to reset your password, which of course is not being sent since you did not enter a proper user name. I think it would be better if these instruction would only be displayed if the user actually entered a proper user name or something. Link to comment Share on other sites More sharing options...
netcarver Posted April 17, 2014 Share Posted April 17, 2014 Hello @yellowled Would it be worth starting an issue on github for this? Link to comment Share on other sites More sharing options...
joey102030 Posted April 17, 2014 Share Posted April 17, 2014 I may be wrong but I don't think email is a unique field, so 2 (or more) users could potentially have the same email address. Link to comment Share on other sites More sharing options...
WillyC Posted April 17, 2014 Share Posted April 17, 2014 when u.displays different msgs in logon,passwerd functionz u give hacker abilitys to find.account names best security--- u shuld not have some thing thats tells if user known or not known to not authentiked user 5 Link to comment Share on other sites More sharing options...
netcarver Posted April 17, 2014 Share Posted April 17, 2014 (edited) @WillyC I think yellowled's point is a little different - perhaps I read the post wrong. Anyway, detecting the use of an email address in a username field & telling the user to use a username doesn't feel like an information leak to me. At best you are providing a binary chop of the input space letting the hacker know that this field really is for a username and not for an email address. In other words, I think it's okay to say... "Hey, this field requires a username, not an email address!" ...but not... "User `WillyC` doesn't exist. Please try again." A generic 'reset message sent' regardless of if the user is known or not should be shown if the input field has the right type of data. Edited April 17, 2014 by netcarver 2 Link to comment Share on other sites More sharing options...
Soma Posted April 17, 2014 Share Posted April 17, 2014 Happened just few days ago with a user, he entered username and email... Maybe, just add a placeholder "username" Link to comment Share on other sites More sharing options...
yellowled Posted April 17, 2014 Author Share Posted April 17, 2014 @WillyC In other words, I think it's okay to say... "Hey, this field requires a username, not an email address!" That is, for the record, exactly my point. Of course I don't want to compromise the security of this process. Showing a user who entered data of the wrong type the same message a user who entered the proper type doesn't give them any indication. The only indication that they did something wrong is the fact that they don't get the reset email, and that could have other reasons. I didn't post this as a GitHub issue since I think it's rather an enhancement, so I wanted to discuss it here first. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now