Home
Authentication - Do you have a 'Forgot my password' link?
  v4.0 Posted at 13/07/2019 3:07 AM by Tiago Araujo

It's easy and common for users to forget their passwords, the vital key which grants them access to the services they are eligible for. To cater for this instance, it is important to have a 'Forgot my password' link on the sign in page.​

bad.png
Figure: Bad example - what will happen for the poor user that forgot his password?
good.png
Figure: Good example - users have an option if they forget their password
reset example.png
Figure: Good example - users can enter their email to get a new password

​Do you avoid a username enumeration attack?

This practice also opens up the risk of "username enumeration" where an entire collection of usernames or email addresses can be validated for existence on the website simply by batching requests and looking at the responses. You can read more on Troy Hunt's blog post. You should always aim to not disclose if a user is registered with your site or not.

2016-01-05_15-20-06.png
Figure: Bad example - Displaying information that a user does not exist?
demo.png
Good example - You should always aim to not disclose if a user is registered with your site or not​

Related rules

    Do you feel this rule needs an update?

    If you want to be notified when this rule is updated, please enter your email address:

    Comments: