Remove informative error messages from password reset functionality?

broham · March 9, 2016, 5:12pm

Currently if you provide an email address that is not associated with an account it will display the error message:

User not found

I’ve always operated under the assumption that one should not provide informative messages when it comes to any authentication functionality. In this case, this type of message could be used for username enumeration.

OWASP considers informative error messages to be a security issue and using generic messages are typically considered a best practice. Also related.

I had created a branch with a simple update that would remove this informative error message, but read that I should try and build consensus here before making a pull request.

So what do people think - would an update like this make sense?

sashko · March 9, 2016, 5:35pm

Can’t you use the registration endpoint to do enumeration because it won’t let you register with an existing email?

broham · March 9, 2016, 5:40pm

Yes you could, though there are ways to prevent that. The flip side is that most solutions make the user signup process less user friendly.

sashko · March 9, 2016, 6:38pm

Yeah. I’d definitely look at a PR that allows configuration of the errors returned to the client, and keep the default as it is now.

a.com · June 22, 2019, 12:55pm

could you enumerate on the ways to do this?