- From: C. M. Sperberg-McQueen <cmsmcq@blackmesatech.com>
- Date: Thu, 28 Jan 2021 09:11:24 -0700
- To: site-comments@w3.org
- Cc: "C. M. Sperberg-McQueen" <cmsmcq@blackmesatech.com>
I notice that when I put the wrong email address into the password recovery form at [1], I get a message saying "No user account with that email address found”. Is it good practice to reveal to an unauthenticated individual whether an arbitrary email address is or is not affiliated with a W3C login ID? I thought I had read that security experts recommended that systems not make it possible to discover whether a given account name does or does not exist (a bit like psychiatrists who not only decline to confirm that so-and-so is one of their patients, but also decline to confirm that so-and-so is *not* one of their patients). best, Michael Sperberg-McQueen [1] https://www.w3.org/accounts/recover ******************************************** C. M. Sperberg-McQueen Black Mesa Technologies LLC cmsmcq@blackmesatech.com http://www.blackmesatech.com ********************************************
Received on Thursday, 28 January 2021 16:11:44 UTC