Jump to content

Forgot Password – irritating notice


yellowled
 Share

Recommended Posts

Something I'd never realized myself, but a client of mine stumbled upon it:

The client's site uses the Forgot Password module. Clicking the link in the login screen opens up a screen with an input field where users are supposed to enter their username. For some reason, the client thought she was supposed to enter her email address. I suppose she read the info text there in a hurry (it does mention that users need to have a registered email address).

The thing is: if you enter an email address in said input field and hit the send button, it still displays the info message saying that you'll receive an email with further instructions as to how to reset your password, which of course is not being sent since you did not enter a proper user name. I think it would be better if these instruction would only be displayed if the user actually entered a proper user name or something.

Link to comment
Share on other sites

when u.displays different msgs in logon,passwerd functionz

u give hacker abilitys to find.account names

   best security--- u shuld not have some thing thats tells if user known or not known to not authentiked user

  • Like 5
Link to comment
Share on other sites

@WillyC

I think yellowled's point is a little different - perhaps I read the post wrong. Anyway, detecting the use of an email address in a username field & telling the user to use a username doesn't feel like an information leak to me. At best you are providing a binary chop of the input space letting the hacker know that this field really is for a username and not for an email address. In other words, I think it's okay to say...

"Hey, this field requires a username, not an email address!"

...but not...

"User `WillyC` doesn't exist. Please try again."

A generic 'reset message sent' regardless of if the user is known or not should be shown if the input field has the right type of data.

Edited by netcarver
  • Like 2
Link to comment
Share on other sites

@WillyC

In other words, I think it's okay to say...

"Hey, this field requires a username, not an email address!"

That is, for the record, exactly my point. Of course I don't want to compromise the security of this process.

Showing a user who entered data of the wrong type the same message a user who entered the proper type doesn't give them any indication. The only indication that they did something wrong is the fact that they don't get the reset email, and that could have other reasons.

I didn't post this as a GitHub issue since I think it's rather an enhancement, so I wanted to discuss it here first.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...