Preventing User Enumeration in Craft Password Reset Form

Name: Mijingo, LLC
Price range: $

How to prevent someone from determining whether a user account exists by username or email address.

This is a follow-up video on the original course and will also be the source for an article on the same topic.

In the previous video on creating a password reset form, we didn’t takcle one important security issue when it comes to resetting password: enumeration.

User enumeration is the ability to establish the exitence of a user account by something like an email address. This can be determined by reading the response message of a password reset form or by timing the amount of time it takes to respond.

Craft CMS has user enumeration preventing built in, however it is not enabled by default.

Course Videos

Craft CMS Front-End Registration is made up of the following videos:

More you should learn about Twig

Preventing User Enumeration in Craft Password Reset Form

Understanding Twig Context or Scope

Refactoring with Twig Filters

First Look: Hyper Plugin

Making Twig Macros Work Like Functions

CraftQuest on Call 70: What is Twig, Anyway?

CraftQuest on Call 64: Git Party

CraftQuest on Call 62: Questions and Answers

How to create a dynamic asset upload path from field data in Craft CMS