|
|
|
|
|
|
by merty
4993 days ago
|
|
|
I knew someone would say this :) This is not an excuse for most of the sites (including Codecademy) because when you follow the "Forgot password" link and type in an email address, they instantly tell you whether that email address exists or not. If you are displaying a message such as: "If the email address you provided is registered, you will receive an email shortly." then fine :) |
|
|
* avoiding giving away this piece of information on the forgot password screen
or
* telling the user whether it's their password or username that is wrong.
You might want to take a look at this security stackexchange question http://security.stackexchange.com/q/13079/7306
update: I noticed this was in fact mentioned on / added to the blog post.