Email hint for password reset form #49
Comments
Except when someone changed their email on mafiasi to their private email. |
|
And while we're at it, we may as well automatically correct that value (for both password reset and login, the latter probably would be another issue). I.e., if somebody tries to reset a password or tries to login using valid credentials but with wrong number prefix, we can treat that request as though the correct value was supplied – only if it is clear, i.e., reset: In case of login, we should show an unmissable warning on the next page (the auto-rewrite of the username is not applied for other services, so they should learn of that mistake). This should not leak any information to adversaries as it is only applied upon entering the correct password. To prevent information leakage, we should not give any hint during password reset requests on whether we did any rewriting of that email address. Otherwise, it would be possible to, e.g., check whether a user account uses an This does not render an additional hint redundant; we are not able to automatically correct other mistakes, such as |
Because we are getting some emails about users not getting their password reset email we suspect that it is not sufficiently clear which email address is meant on the password reset form.
We should make it more clear that an informatik-email (3musterman@inf…) is meant and not a private email. It should also be made clear that no 1 is part of the email (13musterman@inf…).
In addition we should link to an IRZ page about how to access your emails; surely there exists one.
The text was updated successfully, but these errors were encountered: