Password reset does not leak existing users, but Signup does

We’re currently reviewing our user signup and reset password flow. When resetting the password the default lock config seems to be to tell the user that an email was sent, even if the email address is invalid (not registered).

This is for security reasons:

“The banner is shown even if the email address is not registered to an account, meaning that attackers won’t be able to try different emails to see if a particular customer does or doesn’t have an account”.

This makes sense, even if it’s annoying for the users.

However, the Sign Up flow leaks this info anyway! Even on auth0.com.

So what’s the point of the user-unfriendly flow in the password reset? I could be wrong, but it doesn’t seem to improve the security, since the information leaks anyway?

Related:

Customize Lock Error Messages ??
Styling of password reset form ??

1 Like

For password reset we updated the text to something like “If your email address is in our systems, we will send you a password reset email.” Not quite so confusing for users.

Good point about the signup flow:

24

1 Like

To provide information this has been looked into and subsequently added to our product roadmap with no timeline at this time. Closing the topic as a result.