Picto thématique

Rule n° 26 - No information is displayed regarding the existence of a user account.

Many websites use personal identifiers for login purposes. These can be nicknames, names, and most commonly email addresses. Malicious individuals may attempt to log in with certain predictable identifiers and exploit the site's response to determine whether an account exists. Once they have verified that an account exists, they can attempt to log in with different passwords or via a brute force attack. To prevent this, the site must avoid revealing that an identifier is associated with an account.

PreviousNext
#Conception #Personal information #Development #Privacy

Goal

  • Prevent attempts to hijack accounts or steal identities,
  • Improve user security.

Implementation

In response to an attempt to create an account, log in (or a series of attempts), or request a password reset, do not display messages such as:
  • “This email is already in use.”
  • “Incorrect password.”
  • “Please follow the password reset procedure sent by email.”
  • “Account locked.”
Prefer messages such as:
  • “If you already have an account, use the password recovery feature.”
  • "Incorrect credentials. Please check your address and password.“
  • ”If an account exists for this address, a reset email has been sent.“
  • ”Unable to log in. Please try again later or use the password recovery feature."

    • Control

    Verify that no information is provided about the existence of a user account when attempting to create an account, log in, or recover a password.

    By Opquast - Read the license

    PreviousNext

    Discover Opquast training and certification

    The objective of these rules and the Opquast community mission is ‘making the web better’ for your customers and for everyone! Opquast rules cover the key major areas of risk that can negatively affect website users such as privacy, ecodesign, accessibility and security.

    Opquast training has already allowed over 19,000 web professionals to have their skills certified. Train your teams, contact us

    We offer a 1 hour free discovery module.

    Discover Web QA
    Free training module