Search the Community
Showing results for tags 'username'.
Haven't seen this here yet, and please point me in that direction if a thread already exists, but I'd like to request a change to the error message that is displayed at the Self-Service Password Rest Portal. Currently, if you input a username that does not exist, you are told that the username was not found. This allows an attacker to enumerate valid accounts for your organization and proceed with related attacks against Security Questions, MFA options and other attack avenues. Could this be a more generic message that does not indicate whether an account is valid or not?