Something I consider integrity protection flaw in Drupal is that both the ordinary login
function and logging in via one time link acknowledge that an account
exists *before* they checks the password. I mean, Drupal will deny access if
an account has been blocked, before checking the password, thus informing
the user that this account does actually exist on the site and that it is blocked.

I think as long as Drupal has not verified that the person trying to log
into Drupal has used a correct username AND password, Drupal should pretend
as if the account does not exist at all. Same goes for the Forgotten your
password function which acknowledges that an account exists. It should
instead be more vague. Something like "*If* the username is in our
database, a password will be sent etc.".

Why should there be a change? Well, sometimes you just don't want other
people to know you're registered on a site. For political, religious or
personal security or other reasons.

Comments

mlncn’s picture

mlncn commented
Version: 6.19 » 8.x-dev
Issue tags: +privacy

I wouldn't want this changed in core – ability to use trumps this bit of privacy for the vast majority of sites; i couldn't imagine trying to recover a password without knowing when i put the correct e-mail address in – but i could see this as a very good option or contributed module. The ultimate implementation of this idea as an option could allow a default setting per site and a per-user setting as well.

mr.baileys’s picture

mr.baileys
Primary language Dutch
Location 🇧🇪 (Ghent)
commented
Status: Active » Closed (duplicate)

Duplicate of #849602: Update 'username' theme template to use 'view label' operation. -- also see Disclosure of usernames and user ids is not considered a weakness for the security team's stance on this issue.