---
** [tickets:#7543] Password recovery should not confirm email addr existance**
**Status:** closed
**Milestone:** asf_release_1.2.0
**Labels:** security sf-1
**Created:** Mon Jul 07, 2014 04:23 PM UTC by Dave Brondsema
**Last Updated:** Wed Jul 16, 2014 06:14 PM UTC
**Owner:** Alexander Luberg
The forgotten password recovery form says "Unable to recover password for this
email" if you enter an email that is not in our database. This can be used to
determine if an email address is in the system or not. Instead, we should
always have a generic success message like "A password reset email has been
sent, if the given email address is on record in our system."
---
Sent from forge-allura.apache.org because [email protected] is subscribed
to https://forge-allura.apache.org/p/allura/tickets/
To unsubscribe from further messages, a project admin can change settings at
https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is
a mailing list, you can unsubscribe from the mailing list.
