Rule n° 26 - No information is displayed regarding the existence of a user account.

Many websites use personal identifiers for login purposes. These can be nicknames, names, and most commonly email addresses. Malicious individuals may attempt to log in with certain predictable identifiers and exploit the site's response to determine whether an account exists. Once they have verified that an account exists, they can attempt to log in with different passwords or via a brute force attack. To prevent this, the site must avoid revealing that an identifier is associated with an account.

#Conception #Personal information #Development #Privacy

Goal

Prevent attempts to hijack accounts or steal identities,
Improve user security.

Solution technique

In response to an attempt to create an account, log in (or a series of attempts), or request a password reset, do not display messages such as:

“This email is already in use.”
“Incorrect password.”
“Please follow the password reset procedure sent by email.”
“Account locked.”

Prefer messages such as:

“If you already have an account, use the password recovery feature.”

"Incorrect credentials. Please check your address and password.“

”If an account exists for this address, a reset email has been sent.“

”Unable to log in. Please try again later or use the password recovery feature."

Moyen de contrôle

Verify that no information is provided about the existence of a user account when attempting to create an account, log in, or recover a password.