April 9, 2012

Best password reset behavior for missing account

Question by smparkes

I’m wondering what the best behavior is when a user requests a password reset for an email that doesn’t exist.

Context: user is not logged in. They just enter an email and hit a reset button.

  1. If I tell the user requesting the reset immediately that the account doesn’t exist, that’s both a bit of security hole and a privacy issue.
  2. If I do nothing and it’s an innocent mistake (they thought they had an account), they’ll be wondering what the heck happened. Most mysterious option, least subject to abuse.
  3. I can send an email that says a password reset has been requested but there’s no account (and should be ignored blah blah blah). This seems the least noxious but it is a little subject to abuse.

Update: On further consideration, I don’t really so how 1 is a big deal since they can get the same information by simply trying to sign up/use the same email … unless I’m missing something …

Answer by Starx

I would do something like this

  • Ask for the username or email
  • If that email or username is present, send all the email to the person, with the reset password.

Finished 🙂


Please fill the form - I will response as fast as I can!