4

If a website has a reset password facility (which will e-mail the account holder a reset link), does this facility reveal too much information by allowing someone to probe who holds an account by entering various e-mail addresses?

On a login screen you can get around it revealing who holds an account by giving a generic "E-mail or password is incorrect" message when incorrect details are entered. Which could mean an account doesn't exist or that the password is wrong.

The only way I can think of not revealing who holds an account through a password reset link is to provide a generic message saying "You have been sent a reset link to your e-mail address, if you had an account, otherwise you'll need to create a new account" or words to that effect, whether or not a reset link could be successfully sent.

Peter Bridger
  • 143
  • 3
  • 1
    Well.. if you have some sort of an account number, you can ask the user to enter that to retrieve the password. – hsnm Nov 08 '12 at 11:57
  • 1
    "too much information" is subjective. How much is too much? You seem to be really asking "Is there a way to prevent an adversary from using the reset password facility to enumerate accounts. In which case as @Tobias states, you've answered your own question. – MCW Nov 08 '12 at 14:27
  • 2
    For a very thorough treatment of your question (and other stuff associated with it,) see [Troy Hunt's](http://www.troyhunt.com/2012/05/everything-you-ever-wanted-to-know.html) writeup. It will indeed tell you everything you want to know. – Jonathan Garber Nov 08 '12 at 14:50
  • @hsnm But then you have to have a process for "I forgot/don't have my account number" and you'll likely end up with the same problem. – Iszi Nov 08 '12 at 16:45
  • 2
    Unfortunately, if you don't permit duplicate email addresses, your _signup_ screen could be used to do verify them. – Clockwork-Muse Nov 09 '12 at 00:34

3 Answers3

5

You already answered the question youself: The only way to not give away any information is to display a generic "A message has been sent to a@b.c" after requesting a passwort reset, even if there is no account associated with that email. See also this question for additional details.

Community
  • 1
twobeers
  • 1,079
  • 5
  • 10
0

Yes, could be, but application owner could limit the number of attempts from particular IP-addresses. Another layer could be that entered e-mail address validity could be checked in the application database. Another possibility is to ask e-mail address two times and disable clipboard in the second field, so it always should be typed manually.

Otherwise you are absolutely right.

sh4d0w
  • 325
  • 1
  • 5
0

Are you protecting the bank accounts of people involved in illicit transactions? If so, then permitting an adversary to elicit email addresses/credentials is probably unwise.

Are you protecting my display preferences on a public website? If so, then the "reset password" facility is boring.

As someone else has said, all security controls have a cost; the art is to balance cost, risk, and consequence.

MCW
  • 2,572
  • 1
  • 15
  • 26