Privacy in Password retrieval forms

Protecting our privacy is becoming so frustratingly difficult that most of times we simply give up. Even an apparently harmless password retrieval form hides a threat to our privacy.

We all passed through a password retrieval form. You give your email, you get a message with information to create a new password. This is also the simplest way to know if anyone you know the email of is actually registered to an online service.

This is the most basic privacy leak your site could have, and still even big networks sensationally fail at it.

The following screenshot comes from WordPress.com, pretty huge service I’d say.

wordpress-privacy

It’s a mild privacy threat but still a threat, it’s even the easiest issue to fix but very few cares. Say you have a forum where people share experiences about a rare disease or a Selfies for Furries gallery or whatever. If I want to know if a friend, colleague, relative have that kinky habit all I have to do is check his email on the “Forgot password” page.

Why should you care? And for such a small threat moreover. Thanks for asking. Let me digress for a moment.

From a service provider (you, the developer) standpoint there are no mild or critical privacy concerns. Only your users can decide what is privacy, you have no rights to choose for them. Privacy starts from complete lock-down with opt-in options, not the other way around.

That’s also the reason why “I have nothing to hide, I’m no terrorist” statement makes no sense. Paradoxically freedom is the right to define your own boundaries, not the absence of boundaries altogether.

Solution for developers

You are so good at pixel perfect design and military grade security and still you fail in protecting the privacy of your users starting from the very smallest things.

If you have a service, don’t disclose if an email address is present in your database. The easiest solution is to just say that an email has been sent despite the user being registered or not.

“An email has been sent to the provided address. If you don’t receive it within few minutes try again.”

But why lose the opportunity to tell your users how much you care?

“We care about our users’ privacy! We can’t tell you if the email you provided is in our database, but if it is you’ll soon get a message. If you don’t receive it within few minutes you can always retry.”

Simple as that. If you don’t care about your users’ privacy I don’t know why I should care about your silly startup!

Solution for end users

The truth is that companies cares about your data more than you care about your privacy. It’s their job, they have an immediate turn back from it. You get nothing tangible in return for protecting your own privacy, until you actually discover that someone violated it. At that point you feel betrayed, you think that you should have been protected or better informed.

The first thing you can do before registering to a new service is to check their email retrieval policy. Click on “forgot password” and fill your email in. If they tell you that you are not actually registered do not use that service. They give a shit about their users’ data.

If you totally have to register anyway, create a new hard-to-guess email address (or even a disposable one) and never use that address for anything else apart logging in to that service.

It’s unbelievable that we still need a post like this…

6 thoughts on “Privacy in Password retrieval forms”

  1. Good tip. But what about “email address already taken” in registration forms? It’s exploitable the same way… should we tell them “for some reason you can’t use this email address, but we can’t tell you why because we respect your privacy?”

      1. Yup, but it’s actually quite widespread. Obviously id doesn’t mean it’s the right way to go, but marketers and businesses want to tie emails to single individuals so they can be better profiled in marketing/DEM campaigns.

  2. So what happens when multiple accounts are created using the same email address and the “user” is requesting their password? Do you send a single email message to reset one or all of the passwords connected to the email address? If more than one account exists, do you additionally prompt for username? If not and the password is automatically reset, which account gets reset by default?

    Regarding privacy, I have a popular gmail address that has been used accidentally many times for paid service accounts. I usually gain access pretty easily since it’s my email address, but then I either attempt to identify & contact the actual user or I change the password and close the unauthorized account. (Some services don’t allow for the email address to be changed after account creation.)

    1. So what happens when multiple accounts are created using the same email address and the “user” is requesting their password? Do you send a single email message to reset one or all of the passwords connected to the email address? If more than one account exists, do you additionally prompt for username? If not and the password is automatically reset, which account gets reset by default?

      When resetting the password you ask for the combination of username+email. Or just pick the latest account.

Comments are closed.