Email or username:

Password:

Forgot your password?
dansup's posts Post Back to profile
dansup

You would think a "Forgot Email" feature would be simple to implement, a feature to send an email to an account by providing the username

And it can be, but a feature like this has several vectors that are ripe for abuse

Some examples:
- Credential stuffing
- Targeted account takeovers
- Email quota overage
- Account state exfiltration

Our mitigations:
- IP address rate limits (10/1440 mins)
- Once per account for 24h
- Email quota (no overages)
- Random timing delays
- General error messages

22 January at 14:04 | Open on mastodon.social
6 comments
Jippi 🇩🇰

@dansup I have also seen success with asking users to go to their inbox and search for the mail domain to find it - assuming the pixelfed welcome/confirm mail content includes the username :)

"""
"Forgot your email?
No worries! You can search your inbox for "from:pixelfed.dk" and check your welcome mail - otherwise, put your username in the form below, and we will send you an email"
"""

22 January at 14:07 | Open on expressional.social
dansup

@jippi Some people don't remember which account they used though, this saves admins a bit of time by automating the experience in an ideal way.

22 January at 14:08 | Open on mastodon.social
Jippi 🇩🇰

@dansup Oh yeah, it's not "one or the other" but "both" I've seen work well.

Similarly, sometimes just exposing the mailer domain (and not the username part) is usually enough to prompt most folks memory :D

22 January at 14:10 | Open on expressional.social
DELETED

@dansup Credential stuffing sounds painful

22 January at 14:09 | Open on hear-me.social
Francis 🏴‍☠️ Gulotta
Exandra

@dansup once per 24h would definitely fail for me for reasons relating to the way embedded browsers in email clients frequently lose state and password managers are not 100% reliable.

I almost always end up requesting 2-3 resets in a row.

25 January at 18:22 | Open on hachyderm.io
Go Up