search

hasgeek / lastuser

Lastuser has been merged into Funnel. This repository is archived.
https://hasgeek.com/
BSD 2-Clause "Simplified" License
166 stars 30 forks source link

Give users a hint at where their password reset token has gone #190

Closed jace closed 6 years ago

jace commented 8 years ago

Related to #189, when a user resets their password using their username, they are not told what email address their reset code has been sent to. This should be hinted at in one of two ways:

  1. Reset code was sent to your email address j***@p***
  2. Reset code was sent to your pobox.com email address

The first does not reveal much, but gives both a legit user and an attacker a hint of which address it may have been.

The second is more elegant, but gives away the domain. This isn't a big deal when most users are on Gmail, but it may be a concern for less prominent domains.

jace commented 7 years ago

Twitter's masking format is two letters each of username and domain, followed by * characters matching the exact number of characters. As we've learnt in the Aadhaar trolling incident of May 2017, this is enough information to give away someone's identity. Lastuser should consider (a) revealing a single character, and (b) a fixed number of mask characters (like ***) to avoid revealing character count. Any downsides to this are currently unclear.

jace commented 6 years ago

Resolved in #233.