Those enumeration attacks can be also be done on Sign-up page as Sign-up page if Sign-up page uses email ID to register. Mostly Sign-up pages contains Email fields in them. Secondly there are many (majority) websites which are keeping these Validators on PasswordReset so why don't we keep that default.
Neither documentation has any suggestions on how to achieve email Validation for beginners On Thu, 9 Jan 2020, 06:57 Fran Hrženjak, <fran.hrzen...@gmail.com> wrote: > FWIW, for me the question here is why isn't Django applying the same > protection agains enumeration attacks on sign-up pages? > > > > On Thursday, 9 January 2020 02:08:16 UTC+1, SANYAM MITTAL wrote: >> >> PasswordResetView returns a success message for emails not in database >> also. >> >> *Problems Faced* >> >> 1. If the user is not Registered but strongly thinks they are >> registered and have forgotten the password they would keep trying to get >> Reset email. >> 2. If they've typed a wrong email in PasswordResetForm. They would be >> expecting a reset email with reset URL but wouldn't receive any mail nor >> any Validation Error would be raised that wastes a lot of time of the User >> >> *Reference:* >> >> https://github.com/django/django/blob/0f843fdd5b9b2f2307148465cd60f4e1b2befbb4/django/contrib/auth/views.py#L208 >> >> As mentioned in documentation >> https://docs.djangoproject.com/en/stable/topics/auth/default/#django.contrib.auth.views.PasswordResetView >> >> *This prevents information leaking to potential attackers* >> >> Although a potential attacker can easily get these information from >> Sign-Up/Register page as *Validation error is raised when a Duplicate >> Email Address* is entered during sign-up. >> >> If there's *not a Unique email Validation* during Sign-up there are >> chances that multiple users get registered with same email (if user >> mistakenly types someone else's email) and Password Reset email is sent >> multiple times for different Users which is more risky. >> >> Facebook, Netflix and many more also raises a Validation Error when non >> registered email is entered >> >> *Thanks for your time.* >> >> Sorry I don’t know the real necessity of not validating the email but >> this really causes confusion and wastes the User’s precious time. >> > -- > You received this message because you are subscribed to the Google Groups > "Django developers (Contributions to Django itself)" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to django-developers+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/django-developers/06dcb212-a2b9-4e9d-8bb7-a1cca36fc699%40googlegroups.com > <https://groups.google.com/d/msgid/django-developers/06dcb212-a2b9-4e9d-8bb7-a1cca36fc699%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "Django developers (Contributions to Django itself)" group. To unsubscribe from this group and stop receiving emails from it, send an email to django-developers+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/CADXzAOcwjxDUk5r%3DW0-0vEZfUmOWRWiCqKPDNp8va2pjYBKVSg%40mail.gmail.com.
