7

When I am implementing password reset functionality I usually do not include informative messages about whether a user was found, because I have always believed that it can lead to user name enumeration. So instead of showing:

Account with email "test@test.com" not found.

display a ambiguous message like:

Please check your email for instructions on how to reset your password.

regardless of whether an account was found or not.

Is this overkill or a good practice?

Abe Miessler
  • 8,155
  • 10
  • 44
  • 72
  • 2
    Variations of [this question](https://security.stackexchange.com/questions/70536/having-a-consistent-dont-reveal-email-addresses-of-members-policy/) have been asked [and answered](https://security.stackexchange.com/questions/62661/generic-error-message-for-wrong-password-or-username-is-this-really-helpful), albeit with [differing advice](https://security.stackexchange.com/questions/4729/should-usernames-be-kept-secret?). There's no clear right or wrong answer, as it will depend on your value judgement between giving users accurate feedback versus restricting the info available to attackers. – PwdRsch Mar 09 '16 at 17:33
  • There may be other ways to enumerate user names. For example, site registration can behave differently if one is using an existing username or a unique one. So if you're going to try to prevent username enumeration, be sure to think of alternate places where it may be possible. – Neil Smithline Mar 09 '16 at 19:19
  • This really depends on the kind of site. Would you expect users to want to hide that they have an account? For e.g. Google accounts, this is a none issue, but for something like Ashley Madison it may be extremely important. – Anders May 15 '19 at 10:25
  • Account not found implies the account was deleted so it is illogical for the user to then try a password recovery. You should rephrase that. – Overmind May 16 '19 at 06:32

1 Answers1

8

This is current best practice, as recommended by OWASP. One thing often overlooked though is that the return values should be identical - the layout and underlying HTML code for a page should be the same for each. It's not enough just to provide the same message if you can open the page source and see a comment <!-- Failed password --> or <!-- Unknown email address --> - I have seen these in live sites.

yair
  • 103
  • 4
Matthew
  • 27,233
  • 7
  • 87
  • 101