No information is displayed regarding the existence of a user account.

Rule n° 26 - No information is displayed regarding the existence of a user account.

Many websites use personal identifiers for login purposes. These can be nicknames, names, and most commonly email addresses. Malicious individuals may attempt to log in with certain predictable identifiers and exploit the site's response to determine whether an account exists. Once they have verified that an account exists, they can attempt to log in with different passwords or via a brute force attack. To prevent this, the site must avoid revealing that an identifier is associated with an account.

Previous Next

#Conception #Personal information #Development #Privacy

Goal

Prevent attempts to hijack accounts or steal identities,
Improve user security.

Implementation

In response to an attempt to create an account, log in (or a series of attempts), or request a password reset, do not display messages such as:

“This email is already in use.”
“Incorrect password.”
“Please follow the password reset procedure sent by email.”
“Account locked.”

Prefer messages such as:

“If you already have an account, use the password recovery feature.”

"Incorrect credentials. Please check your address and password.“

”If an account exists for this address, a reset email has been sent.“

”Unable to log in. Please try again later or use the password recovery feature."

Control

Verify that no information is provided about the existence of a user account when attempting to create an account, log in, or recover a password.

By Opquast - Read the license

Previous Next