Auth0 Home Blog Docs

Password reset e-mail being sent to non-valid users

lock
auth0
password-reset
forgot-password

#1

I am using Lock as my login widget and I noticed that going through the forgot password flow and entering an e-mail that does not exist, an e-mail is still sent out prompting them to reset the password. It allows them to reset the password, but login will fail with the non-valid e-mail and new password.

Is there a way to have the e-mails only be sent for valid users?


#3

:wave: @eugene.low I believe that the message stating an email has been sent is expected behavior. Lock is implement to provide this messages regardless of the user being found or not to prevent user enumeration, which can lead to multiple attack vectors. This way, an attacker cannot find out whether a particular user/email has an account in your application by brute force. The password reset emails will be sent to registered users, even though the message says an email has been sent.

When you say non-valid users are you referring to blocked users? I don’t believe a blocked user should be able to start and complete a password reset. If that is the case can you please let me know?


#4

Hi @kim.noel

I am referring to the actual password reset e-mail being sent. If I were to enter abc@123.com and that e-mail is not registered, an e-mail is still being sent to abc@123.com allowing them to reset their password.

Non-valid meaning that the e-mail is not registered.

Thanks for the response!