Auth0 Home Blog Docs

Password reset exposes account exists

password-reset

#1

When using auth0 accounts, we have a customer that noticed resetting a password confirms that an account exists. Entering in a non-existent account produces a response saying:

“We’re sorry. Something went wrong when requesting the password change”

… and when entering in a valid account:

“We’ve just sent you an email to reset your password”

Is there a way to configure auth0 password reset UI to respond with an ambiguous message that neither confirms or denies the account exists?


#2

Have you looked into the following:


#3

Thanks!!! we will try that.