FriendsOfSymfony
Resetting password with BOTH username and email
The reset password process should take the username and the email linked to it, otherwise everybody can play the "is registered game" easly and begin the reset process. It would be a bit more complex to enter the right email for a given username. And of course any error doesn't have to leak information about the username (like "wrong email for this username" or "username not found"). Just "Invalid email"
Or at least reset password should only begin if there's a valid email address (less secure than the process above but safer than "username or email")
Well not everybody uses both. I for example I always use email as a username. And IMO I'd recommend for everybody to do so unless you have a public facing site where you cannot use the user's first/last name, then there is no other choice but to use the username.
I'd say:
- password reset with email is sufficient
- To avoid "email guessing" the result should always be a kind-of success message ("Request processed")
This should be a configuarble option just like the login with username or email. We have client sites set up to use email addresses for login because people's names are not unique but email addresses are. Our clients do not want to use wacky usernames like jon-doe-123, or mad-max-666, etc; they feel that would be unprofessional. So reset password using username would not work for us. These are private sites and the users do not register themselves, they are registered by user administrators and never even know what their cannonical username is..
So reset password using username or email address should be configurable just as the login is.
I concur on the issue of obfuscation: never reveal if the username or email address exists or not.
I concur on the issue of obfuscation: never reveal if the username or email address exists or not.
Me too.
