SSW Foursquare

Authentication - Do you have a 'Forgot my password' link?

Last updated by Alex Rothwell [SSW] 7 months ago.See history

It's easy and common for users to forget their passwords, the vital key which grants them access to the services they are eligible for. To cater for this instance, it is important to have a 'Forgot my password' link on the sign in page.

bad
Figure: Bad example - what will happen for the poor user that forgot their password?

good
Figure: Good example - users have an option if they forget their password

reset example
Figure: Good example - users can enter their email to get a new password

Do you avoid a username enumeration attack?

This practice also opens up the risk of "username enumeration" where an entire collection of usernames or email addresses can be validated for existence on the website simply by batching requests and looking at the responses. You can read more on Troy Hunt's blog post. You should always aim to not disclose if a user is registered with your site or not.

2016 01 05 15 20 06
Figure: Bad example - Displaying information that a user does not exist?

demo
Good example - You should always aim to not disclose if a user is registered with your site or not

Adam Cogan
Duncan Hunter
Websites - Layout and Formatting
We open source. Powered by GitHub