

Building a secure password reset feature - h43k3r
http://www.troyhunt.com/2012/05/everything-you-ever-wanted-to-know.html

======
xofer
It's an old post, but I really like it because it highlights a problem with
almost all online accounts: Confirming the existence of email addresses and
usernames in the database.

~~~
breakingcups
That's the one thing that's not really a problem, at least not properly dealt
with. Take the website that has awesomely not disclosed whether a user account
already exists with that email address or not.

Now go to that websites 'Register'-page. Enter the same email address and
continue. I bet you half a dogecoin you will get an error message if an
account already exists with that email address.

Of course, this is sort of solveable by following the same tactic. Just saying
"An email has been sent to bla@bla.bla with furhter instructions", which in
case of an already existing account could say "Someone tried to register with
this email address, but an account already existed."

Something to be aware of.

