|
|
|
|
|
|
by OliverJones
2689 days ago
|
|
|
I built a password reset system that didn't tell the requestor whether they gave an unregistered email address. It just said, "look in your mailbox." Because, avoid telling cybercreeps anything useful. But my tech support team screamed about it. So, I changed it to send an email to the unregistered address saying "somebody asked for a password reset to be sent to this email address. But we don't have an account associated with this address. If you need help please hit URL or call PHONE. " A cybercreep still can't tell from the password-reset page whether the email was correct. This ruse solved my support team's problem. |
|
|
Having places where I don't recall if I have an account, and if I do, which of my email accounts it was registered to - this solution would actually make me happy. I recall running into it once or twice in the wild and was always just as happy to get the "we don't have an account with this email message" in either email or immediate feedback. That said, I agree with the poster that sees the actual security of hiding usernames as marginal at best, outside of sites where the mere presence of a user is indicative. ("Johnny, why do you have an account on "ILikeLeadingCommas.com"?!")