best practices for a secure forgot password process
21 Aug 2009 - 4:22pm
3 years ago
The use case I'm asking for input on is this: The user has forgotten
their password and types in an email address that is not in our
system. Currently we tell them that we don't have that email address
in our system and to try another or register. However, we have been
mandated to address the security issues around this approach.
Apparently, by telling the user we don't have that email address in
their system allows a hacker/attacher to keep trying other email
addresses until they get a match.
So in other words, there is a conflict between the ease of use in
telling a user who has forgotten their password that we don't have
their email address in our system vs. the potential breech of
security that this messaging apparently invites.
My question is, have you resolved this conflict in your website, and
if so, how?