Solved: Re: wrong message for reset password

mambli · ‎02-22-2016

Hi,

i'm using 1.9.2.3.

Some of our users wants to reset their password. Registered members recieved there email. But if customer is not sure what is their email, they don't get any error messages.

If email is not correct, they receive the same message as it was correct. Everyone receives We have sent instruction how to reset your password to your email. If if there account is registered or not. So they are waiting for a email for a day or two and then contact us to check manualy.

We are using custom template, but phtml for reset password is from base design.

Just doublecked with path hints: frontend/base/default/template/customer/form/forgotpassword.phtml

Any idea?

Stuart M · ‎02-23-2016

There is a very valid security reason for this. If you changed the message to say "Email address not found" then people will bot spam your reset password form either using a list of email addresses or a dictionary attack in the hope of finding a valid email. They will then use hacked email accounts or known passwords to try and gain access.

You would be better to change the text to say something like:

"If your email address is registered on our website you will receive a password reset email shortly"

--
Problem solved? Click Accept as Solution!

View solution in original post

Pronto · ‎02-22-2016

Well, Magento doesn't send an e-mail when there's no user info in database and for a very good reason: otherwise it's very simple to generate thousands of fake password reminders. It a) spams recipients and b) may cost real money for the store. In worst case scenario it may get store blacklisted because spamming.

Tanel Raja

mambli · ‎02-23-2016

Thank you for your reply.

It's not the problem about receiving an email. Problem is that even if they type in the forget password field dsfsdfasf@sdfsef.com they still get the message in magento that instruction has been send to your email address. They should receive a message that there is no email address in our database or something similar.

Thank you,

Stuart M · ‎02-23-2016

There is a very valid security reason for this. If you changed the message to say "Email address not found" then people will bot spam your reset password form either using a list of email addresses or a dictionary attack in the hope of finding a valid email. They will then use hacked email accounts or known passwords to try and gain access.

You would be better to change the text to say something like:

"If your email address is registered on our website you will receive a password reset email shortly"

--
Problem solved? Click Accept as Solution!

mambli · ‎02-23-2016

Hi,

thank you for your reply.

So you are saying that this is a feature and not an error? And if i want to change that i need to make an extension for magento?

Thank you,

Stuart M · ‎02-23-2016

Correct as far as I know this only exists as a single string of text so you would need an override module to create two possible outputs although as above I wouldn't recommend doing this as you will be open to form spam attacks.

--
Problem solved? Click Accept as Solution!

Pronto · ‎02-29-2016

Ah, you're talking error message on screen and not-email message.

Indeed it's not a bug, but a feature -- call it first line of security. Basically all system that have been paying even marginally attention what is going on will use this approach: you don't want hackers to know if the account exists or not just by saying so -- you can brute force non-existing account as long as you want and never get in. By saying that it's an existing account you make attacking your server easier. Not just easier -- easier by orders of magnitudes.

Tanel Raja