Greetings,
Is there any way to send an email to a user that is trying to reset his password, if the email he enters does not exist in the database?
Right now, they do not know what email they need to use to reset their password.
We understand and agree that showing an error '“email does not exist”, is bad practice, but this is a good alternative already implemented by multiple big sites like “humble bundle”.
Regards
Hd
Hi @hd2200,
Unfortunately, it’s not possible to send an email to a user that entered an incorrect email address when performing a Password Reset.
The canonical way Password Reset works has always been to send an email to a user that does exist, And not giveaway clues whether the email exists or not in the message.
That is correct that showing an error such as “Email does not exist” is a bad security practice. Having checked on HumbleBundle’s website and performing a password reset on a fake email address, I discovered that they also implement the same approach with different verbiage:
With that said, I recommend having the user reach out to your app admins/support to find and verify their account for account recovery in these types of cases.
Please let me know if you have any further questions. I’d be happy to help.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.
