As I recall, and correct me I’d I’m wrong, but Django’s auth package doesn’t
contain user registration views. Thus while I understand your point it does not
serve as justification to change this functionality in the core auth code.
It is inherent in the functionality of a typical user registra
Those enumeration attacks can be also be done on Sign-up page as Sign-up
page if Sign-up page uses email ID to register. Mostly Sign-up pages
contains Email fields in them. Secondly there are many (majority) websites
which are keeping these Validators on PasswordReset so why don't we keep
that defa
FWIW, for me the question here is why isn't Django applying the same
protection agains enumeration attacks on sign-up pages?
On Thursday, 9 January 2020 02:08:16 UTC+1, SANYAM MITTAL wrote:
>
> PasswordResetView returns a success message for emails not in database
> also.
>
> *Problems Faced*
This is an intentional protection against enumeration attacks.
Kye Russell
Sent from my iPhone
> On 9 Jan 2020, at 9:08 am, SANYAM MITTAL wrote:
>
>
> PasswordResetView returns a success message for emails not in database also.
>
> Problems Faced
>
> If the user is not Registered but strong
PasswordResetView returns a success message for emails not in database also.
Problems Faced
1. If the user is not Registered but strongly thinks they are registered and
have forgotten the password they would keep trying to get Reset email.
2. If they've typed a wrong email in PasswordResetForm. T
