Question by smparkes
I’m wondering what the best behavior is when a user requests a password reset for an email that doesn’t exist.
Context: user is not logged in. They just enter an email and hit a reset button.
- If I tell the user requesting the reset immediately that the account doesn’t exist, that’s both a bit of security hole and a privacy issue.
- If I do nothing and it’s an innocent mistake (they thought they had an account), they’ll be wondering what the heck happened. Most mysterious option, least subject to abuse.
- I can send an email that says a password reset has been requested but there’s no account (and should be ignored blah blah blah). This seems the least noxious but it is a little subject to abuse.
Update: On further consideration, I don’t really so how 1 is a big deal since they can get the same information by simply trying to sign up/use the same email … unless I’m missing something …
Answer by Starx
I would do something like this
- Ask for the username or email
- If that email or username is present, send all the email to the person, with the reset password.