Forgot password – No account registered – Securiry breach?

2 points by haritap ↗ HN
When using the “Forgot password?” option from any portal, generally it should acknowledge if the email entered was registered in the application. People claim that this allows for a hacker to verify a whether an email address is valid or not.

What could be the solution? How do a person know if he types wrong mail.

3 comments

[ 3.2 ms ] story [ 13.8 ms ] thread
If there is an account registered to this email account, a recovery email was sent to it etc.
Just say 'we sent a mail to ' whatever address they entered. If it's incorrectly typed, the user can see it then and try again.
If you have the bandwidth, handle forgotten passwords manually through a customer service call and ensure they give you email, username and billing details if applicable.