1. Openssf-Wg-Best-Practices
  2. Topics

Proposed best practice: Don't reveal presence/absence of email addresses

Feross Aboukhadijeh <feross@...>
 

Okay, then this is a +1 from me too.

Feross 
CEO, Socket 



On Aug 12, 2022 at 8:22:36 AM, David A. Wheeler <dwheeler@...> wrote:

FYI, I was just told that "don't reveal if account exists from a password reset"
is *already* an OWASP recommendation in their "Forgot Password Cheat Sheet", here:
https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html

That's strong evidence, to me, that this is already considered a best practice by many.

--- David A. Wheeler
David A. Wheeler
 

FYI, I was just told that "don't reveal if account exists from a password reset"
is *already* an OWASP recommendation in their "Forgot Password Cheat Sheet", here:
https://cheatsheetseries.owasp.org/cheatsheets/Forgot_Password_Cheat_Sheet.html

That's strong evidence, to me, that this is already considered a best practice by many.

--- David A. Wheeler
David A. Wheeler
 

On Aug 11, 2022, at 6:56 PM, Feross Aboukhadijeh <feross@...> wrote:

Even if you hide this information in password reset, it’s usually possible to find it by attempting to register an account. I’m not sure this recommendation is worth the reduced usability.

Unless we also recommend telling users they successfully registered an account when they in fact did not because the email was already used.
There's no need to tell them *incorrect* information, just don't reveal what you don't need to reveal. Here's the current proposed text:

* If a user tries to create an account using an email address, don't tell the user if an account with that email address already exists. Similarly, if a user tries to do a password reset using an email address, don't tell the user if there is no account with that email address. Providing that information would allow an attacker to determine if a specific email address is being used (or not) by some existing account.

See:
https://github.com/ossf/secure-sw-dev-fundamentals/pull/80/files

It's not hard to do (I just did this in the best practices badge application).

--- David A. Wheeler
Feross Aboukhadijeh <feross@...>
 

Even if you hide this information in password reset, it’s usually possible to find it by attempting to register an account. I’m not sure this recommendation is worth the reduced usability.

Unless we also recommend telling users they successfully registered an account when they in fact did not because the email was already used.

Feross

On Thu, Aug 11, 2022 at 1:12 PM eric.tice via lists.openssf.org <eric.tice=wipro.com@...> wrote:

+1, This is a great point.

 

Respectfully,

 

signature_3929469851

Eric Tice

Director Global Open Source Technical Consulting and COE

Open Source Program Office (OSPO)

in/erictice @EricTice4

+1 615-342-9277, US Central Time Zone (CST)

 

 

From: openssf-wg-best-practices@... <openssf-wg-best-practices@...> on behalf of Christine Abernathy (F5 Networks) via lists.openssf.org <c.abernathy=f5.com@...>
Date: Thursday, August 11, 2022 at 3:09 PM
To: Dave Russo <drusso@...>, David A. Wheeler <dwheeler@...>, openssf-wg-best-practices@... <openssf-wg-best-practices@...>
Subject: Re: [openssf-wg-best-practices] Proposed best practice: Don't reveal presence/absence of email addresses

CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.
 

This is a definitely a best practice to add.

 

--

 

signature_687880551

Christine Abernathy | Sr Director, Open Source | F5 Office of the CTO

signature_2493520164

 

 

From: openssf-wg-best-practices@... <openssf-wg-best-practices@...> on behalf of Dave Russo <drusso@...>
Date: Wednesday, August 10, 2022 at 3:39 PM
To: David A. Wheeler <dwheeler@...>, openssf-wg-best-practices@... <openssf-wg-best-practices@...>
Subject: Re: [openssf-wg-best-practices] Proposed best practice: Don't reveal presence/absence of email addresses

EXTERNAL MAIL: bounce+76904+210+6791241+11276350@...

+1

On 8/10/22 11:31 AM, David A. Wheeler wrote:
> I propose tweaking the "fundamentals" course with text to recommend
> *not* revealing the presence/absence of email addresses in account creation & password resets.
>
> Here's the proposed text:
>
>> * If a user tries to create an account using an email address, don't tell the user if an account with that email address already exists. Similarly, if a user tries to do a password reset using an email address, don't tell the user if there is no account with that email address. Providing that information would allow an attacker to determine if a specific email address is being used (or not) by some existing account.
> This is captured in this pull request:
> https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fossf%2Fsecure-sw-dev-fundamentals%2Fpull%2F80&amp;data=05%7C01%7Cc.abernathy%40f5.com%7Ccc1c504397674fac86b108da7b1074e1%7Cdd3dfd2f6a3b40d19be0bf8327d81c50%7C0%7C0%7C637957607861976968%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=SQ%2BizZzHmxauwfAF1BBQllSt4JeAUIV4jnYKd%2FXrvDU%3D&amp;reserved=0
>
> Do people generally agree that's a good/best practice when such functions exist?
>
> --- David A. Wheeler
>
>
>
>
>
>
>
>






'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'

Internal to Wipro

--

Feross 
CEO, Socket 
eric.tice@...
 

+1, This is a great point.

 

Respectfully,

 

signature_3929469851

Eric Tice

Director Global Open Source Technical Consulting and COE

Open Source Program Office (OSPO)

in/erictice @EricTice4

+1 615-342-9277, US Central Time Zone (CST)

 

 

From: openssf-wg-best-practices@... <openssf-wg-best-practices@...> on behalf of Christine Abernathy (F5 Networks) via lists.openssf.org <c.abernathy=f5.com@...>
Date: Thursday, August 11, 2022 at 3:09 PM
To: Dave Russo <drusso@...>, David A. Wheeler <dwheeler@...>, openssf-wg-best-practices@... <openssf-wg-best-practices@...>
Subject: Re: [openssf-wg-best-practices] Proposed best practice: Don't reveal presence/absence of email addresses

CAUTION:This email is received from an external domain. Open the hyperlink(s) & attachment(s) with caution.
.
 

This is a definitely a best practice to add.

 

--

 

signature_687880551

Christine Abernathy | Sr Director, Open Source | F5 Office of the CTO

signature_2493520164

 

 

From: openssf-wg-best-practices@... <openssf-wg-best-practices@...> on behalf of Dave Russo <drusso@...>
Date: Wednesday, August 10, 2022 at 3:39 PM
To: David A. Wheeler <dwheeler@...>, openssf-wg-best-practices@... <openssf-wg-best-practices@...>
Subject: Re: [openssf-wg-best-practices] Proposed best practice: Don't reveal presence/absence of email addresses

EXTERNAL MAIL: bounce+76904+210+6791241+11276350@...

+1

On 8/10/22 11:31 AM, David A. Wheeler wrote:
> I propose tweaking the "fundamentals" course with text to recommend
> *not* revealing the presence/absence of email addresses in account creation & password resets.
>
> Here's the proposed text:
>
>> * If a user tries to create an account using an email address, don't tell the user if an account with that email address already exists. Similarly, if a user tries to do a password reset using an email address, don't tell the user if there is no account with that email address. Providing that information would allow an attacker to determine if a specific email address is being used (or not) by some existing account.
> This is captured in this pull request:
> https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fossf%2Fsecure-sw-dev-fundamentals%2Fpull%2F80&amp;data=05%7C01%7Cc.abernathy%40f5.com%7Ccc1c504397674fac86b108da7b1074e1%7Cdd3dfd2f6a3b40d19be0bf8327d81c50%7C0%7C0%7C637957607861976968%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=SQ%2BizZzHmxauwfAF1BBQllSt4JeAUIV4jnYKd%2FXrvDU%3D&amp;reserved=0
>
> Do people generally agree that's a good/best practice when such functions exist?
>
> --- David A. Wheeler
>
>
>
>
>
>
>
>






'The information contained in this electronic message and any attachments to this message are intended for the exclusive use of the addressee(s) and may contain proprietary, confidential or privileged information. If you are not the intended recipient, you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately and destroy all copies of this message and any attachments. WARNING: Computer viruses can be transmitted via email. The recipient should check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by any virus transmitted by this email. www.wipro.com'

Internal to Wipro
Christine Abernathy (F5 Networks)
 

This is a definitely a best practice to add.

 

--

 

signature_687880551

Christine Abernathy | Sr Director, Open Source | F5 Office of the CTO

signature_2493520164

 

 

From: openssf-wg-best-practices@... <openssf-wg-best-practices@...> on behalf of Dave Russo <drusso@...>
Date: Wednesday, August 10, 2022 at 3:39 PM
To: David A. Wheeler <dwheeler@...>, openssf-wg-best-practices@... <openssf-wg-best-practices@...>
Subject: Re: [openssf-wg-best-practices] Proposed best practice: Don't reveal presence/absence of email addresses

EXTERNAL MAIL: bounce+76904+210+6791241+11276350@...

+1

On 8/10/22 11:31 AM, David A. Wheeler wrote:
> I propose tweaking the "fundamentals" course with text to recommend
> *not* revealing the presence/absence of email addresses in account creation & password resets.
>
> Here's the proposed text:
>
>> * If a user tries to create an account using an email address, don't tell the user if an account with that email address already exists. Similarly, if a user tries to do a password reset using an email address, don't tell the user if there is no account with that email address. Providing that information would allow an attacker to determine if a specific email address is being used (or not) by some existing account.
> This is captured in this pull request:
> https://nam02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fossf%2Fsecure-sw-dev-fundamentals%2Fpull%2F80&amp;data=05%7C01%7Cc.abernathy%40f5.com%7Ccc1c504397674fac86b108da7b1074e1%7Cdd3dfd2f6a3b40d19be0bf8327d81c50%7C0%7C0%7C637957607861976968%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&amp;sdata=SQ%2BizZzHmxauwfAF1BBQllSt4JeAUIV4jnYKd%2FXrvDU%3D&amp;reserved=0
>
> Do people generally agree that's a good/best practice when such functions exist?
>
> --- David A. Wheeler
>
>
>
>
>
>
>
>
Dave Russo
 

+1

On 8/10/22 11:31 AM, David A. Wheeler wrote:
I propose tweaking the "fundamentals" course with text to recommend
*not* revealing the presence/absence of email addresses in account creation & password resets.

Here's the proposed text:

* If a user tries to create an account using an email address, don't tell the user if an account with that email address already exists. Similarly, if a user tries to do a password reset using an email address, don't tell the user if there is no account with that email address. Providing that information would allow an attacker to determine if a specific email address is being used (or not) by some existing account.
This is captured in this pull request:
https://github.com/ossf/secure-sw-dev-fundamentals/pull/80

Do people generally agree that's a good/best practice when such functions exist?

--- David A. Wheeler
CRob Robinson (Intel)
 

+1

Cheers,

CRob
Director of Security Communications
Intel Product Assurance and Security

-----Original Message-----
From: openssf-wg-best-practices@... <openssf-wg-best-practices@...> On Behalf Of David A. Wheeler
Sent: Wednesday, August 10, 2022 11:31 AM
To: openssf-wg-best-practices@...
Subject: [openssf-wg-best-practices] Proposed best practice: Don't reveal presence/absence of email addresses

I propose tweaking the "fundamentals" course with text to recommend
*not* revealing the presence/absence of email addresses in account creation & password resets.

Here's the proposed text:

* If a user tries to create an account using an email address, don't tell the user if an account with that email address already exists. Similarly, if a user tries to do a password reset using an email address, don't tell the user if there is no account with that email address. Providing that information would allow an attacker to determine if a specific email address is being used (or not) by some existing account.
This is captured in this pull request:
https://github.com/ossf/secure-sw-dev-fundamentals/pull/80

Do people generally agree that's a good/best practice when such functions exist?

--- David A. Wheeler
Brian Fox (Sonatype)
 

+1

On Wed, Aug 10, 2022 at 11:31 AM David A. Wheeler <dwheeler@...> wrote:
I propose tweaking the "fundamentals" course with text to recommend
*not* revealing the presence/absence of email addresses in account creation & password resets.

Here's the proposed text:

> * If a user tries to create an account using an email address, don't tell the user if an account with that email address already exists. Similarly, if a user tries to do a password reset using an email address, don't tell the user if there is no account with that email address. Providing that information would allow an attacker to determine if a specific email address is being used (or not) by some existing account.

This is captured in this pull request:
https://github.com/ossf/secure-sw-dev-fundamentals/pull/80

Do people generally agree that's a good/best practice when such functions exist?

--- David A. Wheeler
David A. Wheeler
 

I propose tweaking the "fundamentals" course with text to recommend
*not* revealing the presence/absence of email addresses in account creation & password resets.

Here's the proposed text:

* If a user tries to create an account using an email address, don't tell the user if an account with that email address already exists. Similarly, if a user tries to do a password reset using an email address, don't tell the user if there is no account with that email address. Providing that information would allow an attacker to determine if a specific email address is being used (or not) by some existing account.
This is captured in this pull request:
https://github.com/ossf/secure-sw-dev-fundamentals/pull/80

Do people generally agree that's a good/best practice when such functions exist?

--- David A. Wheeler

1 - 10 of 10