Auth0 Home Blog Docs

Password reset does not leak existing users, but Signup does

password-reset
signup

#1

We’re currently reviewing our user signup and reset password flow. When resetting the password the default lock config seems to be to tell the user that an email was sent, even if the email address is invalid (not registered).

This is for security reasons:

“The banner is shown even if the email address is not registered to an account, meaning that attackers won’t be able to try different emails to see if a particular customer does or doesn’t have an account”.

This makes sense, even if it’s annoying for the users.

However, the Sign Up flow leaks this info anyway! Even on auth0.com.

So what’s the point of the user-unfriendly flow in the password reset? I could be wrong, but it doesn’t seem to improve the security, since the information leaks anyway?

Related:


https://auth0.com/docs/libraries/lock/v11/customizing-error-messages ??
Styling of password reset form ??