8

So when you hit that forgot password link and enter your email address, it seems that sites (and other programmers I've spoken to) are one of either two mindsets;

  • Notify the user whether or not the email address matched with one in the database and based on this advise whether a reset password email was set or;
  • Immediately respond with a "Email sent" or "If this user exists, we have sent you a password reset email" regardless of whether or a match occurred resulting in an email sent. This is done (apparently) for security reasons.

I've implemented the latter myself and generally found it raised annoyance with users due to;

  1. If a user mistypes their email address, they are told an email is sent, but they will never receive one.
  2. If they've typed in a different email address than the one they registered with, again they won't be getting an email.
  3. A combination of the above can result in multiple attempts but no receipt of a password reset email, resulting in giving up.

Finally, upon investigation of popular websites that use the second scenario, I've found that attempting to register an account with these sites where the entered email address matches an existing account, a "this email address is already in use, or unavailable" type message is displayed anyways.

As such, what are the benefits not revealing whether a password reset email has matched an account?

Anders
  • 64,406
  • 24
  • 178
  • 215
Stafford Williams
  • 461
  • 1
  • 4
  • 7
  • 2
    This question is more about security concerns than programming concerns. For that reason, it seems more appropriate for [security.se]. –  Aug 29 '15 at 06:56
  • 1
    If the user can't enter their email address correctly, they will have more problems than remembering their password. –  Aug 30 '15 at 00:37
  • @Andrew not remember an email address correctly is in regards to not remembering which (of say, two or more) email addresses that were used to register. – Stafford Williams Aug 30 '15 at 00:41
  • As always, there's a tradeoff between security and usability. – user253751 Aug 31 '15 at 00:24

6 Answers6

2

I think this is generally on the wrong side of being unhelpful to legitimate users of legitimate sites - but if your site was promoting anonymity, telling a random web user if a particular email address was valid would be a leak.

ddyer
  • 1,974
  • 1
  • 12
  • 20
  • You would only tell a random web user who has access to that particular emails address anyway. – gnasher729 Aug 29 '15 at 15:31
  • Yes, but imagine if you could discover that bill@clinton.com was registered at Ashley Madison. Nothing proven, but you still might make use of it. – ddyer Aug 29 '15 at 17:24
  • @ddyer Hence "if your site was promoting anonymity". It matters for Ashley Madison, not so much for YouTube. – user253751 Aug 31 '15 at 00:24
1

Sites where the privacy of the users are more important, If a user tries login with the email and a wrong password, its better not let him know whether the email exist or not.just let him know its wrong and could ask to enter password with mobile number/username.

Answer

It is to respect the privacy of the already existing users. Else others will be able to know whether a user is registered or not

aimme
  • 111
  • 3
  • 1
    This does not appear to answer the question that was asked, but rather lists a bunch of best practices that cover related concerns. – Jules Aug 29 '15 at 08:54
  • ya. my bad @Jules. i agree to you. Let me edit my answer :) thanx for notifying – aimme Aug 29 '15 at 09:01
1

Depending how easy it is to sign up to your site you may not be leaking info by telling whether email was sent or not.

If anyone can create an account it will probably tell if email is in use or not. So at the end of the day the extra annoyance isn't buying you any extra security.

What you should not leak is the emails if users can supply either username or email. It would decrease security if you told the user which email the token was sent to since that could be used to get the email from users if those are not public.

Esben Skov Pedersen
  • 189
  • 5
1

It is worth considering that revealing the information of whether the holder of a specific email address has an account at your site may be illegal in some jurisdictions. For instance, here in the UK, you should obtain the user's consent before revealing this information.

One work around would be to ask for some lower security information, eg date of birth, mother's maiden name, etc as part of the process, before revealing whether the account exists.

Jules
  • 121
  • 3
1

Your point about trying to register and getting a 'this email address is already in use, or unavailable' message is interesting and seems to be a more important point to consider than whether or not to let people know the forgot password email was sent. They seem to go hand in hand.

If you are willing to display the fact that an email is already in use and can't be used in an account, of course let people know if the forgot-password email was sent.

But if your site demands anonymity, you can't require Unique emails & prevent people from trying to use one that is already in use. Instead, just require verification of the email and by default only the real owner will be able to use it. You could even block them out of any other account activity until the email is verified.

Andrew
  • 111
  • 4
  • 1
    +1 this is an important point. One solution is to require email validation during sign up and send a "this address is already in use, here's a username/password recovery link instead of a validation link" email. – Jules Aug 30 '15 at 06:43
0

For my opinion, on the reset form, we don't tell wether the email is valid or not. We only show that the reset process is sent to the submitted email. Then, the content of the email is either an invalid-email message or a reset link.

However, this technique may be annoying if someone use this reset form to spam someone else's email. Some prevention mechanisms reqired, like limit the number of submission.

  • Be careful. I may have a service that I access at work, but the registered email is at home, so I can't reset the password at work. If the reset email isn't valid for long enough, I may be in trouble. – gnasher729 Aug 29 '15 at 15:30