The use case I'm asking for input on is this: The user has forgotten their password and types in an email address that is not in our system. Currently we tell them that we don't have that email address in our system and to try another or register. However, we have been mandated to address the security issues around this approach. Apparently, by telling the user we don't have that email address in their system allows a hacker/attacher to keep trying other email addresses until they get a match.
So in other words, there is a conflict between the ease of use in telling a user who has forgotten their password that we don't have their email address in our system vs. the potential breech of security that this messaging apparently invites. My question is, have you resolved this conflict in your website, and if so, how? Thanks for any insight, Laur Malone ________________________________________________________________ Welcome to the Interaction Design Association (IxDA)! To post to this list ....... [email protected] Unsubscribe ................ http://www.ixda.org/unsubscribe List Guidelines ............ http://www.ixda.org/guidelines List Help .................. http://www.ixda.org/help
