On 04.06.2016 08:35, Karl Ove Hufthammer wrote:
> Bryan Richter skreiv 04. juni 2016 03:47:
>> There are two situations where I'm not sure what the best action is.
> 
> IMO, the best solution (in both cases) is to *not* reveal that the use
> has (or hasn’t) an account. If I’m trying to be anonymous, i don’t want
> people to be able to find out whether I have an account at
> Snowdrift.coop. And if the user tries to create an account that already
> exists, *do* supply a ‘reset password’ link in the e-mail that is sent
> (but don’t automatically reset the password).
> 
> See also http://security.stackexchange.com/a/90354
> 

+1

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Discuss mailing list
Discuss@lists.snowdrift.coop
https://lists.snowdrift.coop/mailman/listinfo/discuss

Reply via email to