Hacker News new | ask | show | jobs
by wongarsu 1302 days ago
And those services also plug the forgotten-password information leak by just informing you "if you have an account, you got an email" instead of giving you an explicit success or error message.

I guess the better point for the article would be "many websites cargo-cult the login error message without understanding why it's there and how that should impact the rest of the service"
2 comments
asddubs 1302 days ago
sounds like a nightmare for someone who forgot their password and has multiple emails, and isn't sure which one is right. did i use the wrong email, did it land in the spam folder, or did my email provider just quietly delete the email (which unfortunately does happen, and not just with dodgy emails/IPs)
link
Xylakant 1302 days ago
I have multiple emails, and this never turned out to be an issue - worst case i just try all of them.

But if you want to improve the implementation, the provide can also decide to send an email in case no account is registered with that email address - "Hey, someone tried a password reset for this email, but there's no associated account. If it was you, ..., if not, ignore this email."

link
prmph 1302 days ago
> And those services also plug the forgotten-password information leak by just informing you "if you have an account, you got an email" instead of giving you an explicit success or error message.

This might be a better approach, but one problem I see with it is: what if the email is not actually delivered because of an internal bug in the website? How would users know they didn't receive an email they were supposed to have received, and take the appropriate action (trying again or contacting help), versus that they entered a wrong or unregistered email?

link
SoftTalker 1302 days ago
Email might not be delivered for many reasons that may not all be in control of the sender. It may be classified as spam somewhere along the way. It may simply drop into a black hole. Eventually the user will try again.
link
Thorrez 1301 days ago
That same problem can happen regardless of whether the password reset flow checks for user existence before sending the email.
link