logo
English

导航菜单

About Us

Why Doesn’t Password Reset Tell You If an Email Is Registered?

Email marketing and security protection icon

When you request a password reset on our platform, you’ll see the same success message regardless of whether the email you entered is registered in our system:

“If this email is registered, you will receive a password reset email”

You might wonder: Why doesn’t the system tell me directly if the email is registered? This article explains the security considerations behind this design.

What is User Enumeration Attack?

User Enumeration is a common cyber attack technique where attackers use system responses to determine whether a user account exists.

Attack Scenario Example

Imagine if the system explicitly told users “This email does not exist”:

  1. Attackers could batch-test numerous email addresses
  2. Based on system responses, filter out a list of registered emails
  3. Use this information for:
    • Targeted phishing attacks: Send more credible-looking phishing emails
    • Credential stuffing: Try passwords leaked from other platforms
    • Social engineering attacks: Use user information for fraud
    • Spam: Send spam to confirmed valid email addresses

Our Protection Mechanism

To prevent user enumeration attacks, we implement the following security measures:

1. Uniform Response Messages

Regardless of whether the email is registered, the API returns the same success response:

{
  "success": true,
  "message": "If this email is registered, you will receive a password reset email"
}

This prevents attackers from determining email registration status through response content.

2. Consistent Response Time

The system ensures processing time remains consistent whether the email is registered or not, preventing attackers from inferring information through response time differences.

3. Send Emails Only to Registered Addresses

  • ✅ If email is registered: Send an email with reset link
  • ❌ If email is not registered: Don’t send any email or log any records

This way, even if attackers monitor the email server, they cannot obtain useful information.

This is Industry Best Practice

Our design follows internationally recognized security standards:

OWASP Recommendation

OWASP (Open Web Application Security Project) explicitly recommends this approach in its security guidelines.

Adopted by Major Platforms

Many well-known platforms use the same strategy:

  • GitHub: Password reset doesn’t reveal if email exists
  • Google: Account recovery uses ambiguous prompts
  • Microsoft: Password reset uses uniform responses
  • Facebook: Account lookup uses privacy protection mechanisms

Impact on You

If You’re a Legitimate User

  • Your privacy is protected: Others cannot confirm if you’re registered on the platform
  • Reduced attack risk: Attackers cannot target your account specifically
  • ⚠️ Need to check email: If you don’t receive an email, it might be due to incorrect email or non-registration

If You Forgot Your Registration Email

If you’re unsure which email you used to register, you can:

  1. Try your commonly used email addresses
  2. Check all possible email inboxes (including spam folders)
  3. If still unable to recover, contact our customer support

Security Tips

To better protect your account security, we recommend:

  • 📧 Use a unique email: Use a dedicated email address for important accounts
  • 🔐 Enable two-factor authentication: Add an extra security layer
  • 📝 Record account information: Securely record your registration email
  • ⚠️ Beware of phishing emails: Our reset emails always come from official domains

Frequently Asked Questions

Why didn’t I receive a reset email?

Possible reasons:

  1. Email address entered incorrectly
  2. The email is not registered in the system
  3. Email was flagged as spam
  4. Email server delay

Solutions:

  • Check your spam folder
  • Confirm email address spelling is correct
  • Wait a few minutes and retry
  • Try other possible email addresses

Does this affect user experience?

We believe security takes priority over convenience. While this may cause some inconvenience for users who forget their registration email, it’s a necessary trade-off to protect the privacy and security of all users.

What if I really forgot my registration email?

Please contact our support team through:

  • Feedback and suggestions at the bottom of the website

We will help you recover your account through a secure identity verification process.

Summary

Our user enumeration protection mechanism is designed to:

  1. Protect your privacy: Don’t disclose account registration status
  2. Enhance security: Prevent attackers from collecting user information
  3. Follow best practices: Adopt industry-recognized security standards

While this may cause some inconvenience, we believe it’s the right choice to protect your account security.

搜索