Skip to main content
Best Answer

Forgot Username/Email - says sending even if account does not exist

  • October 4, 2021
  • 3 replies
  • 186 views
jckemv
Helper I
Forum|alt.badge.img+2

Hi everyone,

I receive a lot of helpdesk requests from users that forget their username.

They use the “Forgot your password?” link on the login page and type in what they think is their username, or email address and the system happily says it is sending an email to them.

However, you can put anything, any username or email address and it says the same message without saying anything useful like “that username does not exist” or “that email address is not registered.”

So my users happily wait for an email that never arrives, then frustrated submit a helpdesk request.

I didn’t know it had this behaviour and cannot understand it. Is it some kind of anti-spam thing?

Does anyone else think this is unhelp to both users and admins alike?

Best answer by alekwo

I can’t speak for Docebo, but in general this is a security best practice NOT to inform if the username is correct or not correct, as hackers could then easily confirm the list of valid usernames for your system, and then “only” need to guess or obtain the password to get access.

And knowing the valid username they could use phishing or social engineering techniques to approach your users with a very plausible messages.

 

I think, it’s maybe worth considering to switch your Docebo configuration to use email addresses as usernames, as that’s something people tend to remember ;-)

 

Another idea, which won’t solve your exact issue, but may help. We’re sending a welcome email to each new user or our platform, and in that email we do state what is their username. So, at least those who don’t delete those messages, can search for the welcome message and find the username in their email archive.

3 replies

alekwo
Guide III
Forum|alt.badge.img+1
  • alekwo
  • Guide III
  • Answer
  • October 4, 2021

I can’t speak for Docebo, but in general this is a security best practice NOT to inform if the username is correct or not correct, as hackers could then easily confirm the list of valid usernames for your system, and then “only” need to guess or obtain the password to get access.

And knowing the valid username they could use phishing or social engineering techniques to approach your users with a very plausible messages.

 

I think, it’s maybe worth considering to switch your Docebo configuration to use email addresses as usernames, as that’s something people tend to remember ;-)

 

Another idea, which won’t solve your exact issue, but may help. We’re sending a welcome email to each new user or our platform, and in that email we do state what is their username. So, at least those who don’t delete those messages, can search for the welcome message and find the username in their email archive.

-- Alek Oleszkiewicz - linkedin.com/in/aleko
John
Annarose.Peterson
jckemv
jckemv
Helper I
Forum|alt.badge.img+2
  • jckemv
  • Author
  • Helper I
  • October 4, 2021

I can’t speak for Docebo, but in general this is a security best practice NOT to inform if the username is correct or not correct, as hackers could then easily confirm the list of valid usernames for your system, and then “only” need to guess or obtain the password to get access.

And knowing the valid username they could use phishing or social engineering techniques to approach your users with a very plausible messages.

 

I think, it’s maybe worth considering to switch your Docebo configuration to use email addresses as usernames, as that’s something people tend to remember ;-)

 

Another idea, which won’t solve your exact issue, but may help. We’re sending a welcome email to each new user or our platform, and in that email we do state what is their username. So, at least those who don’t delete those messages, can search for the welcome message and find the username in their email archive.

Thanks and I thought so also. I send an email to new users via the system with the user info and I’d love them to refer back to it indeed. 

My goal is to move to email and username and will migrate to that soon. 

John
jckemv
Helper I
Forum|alt.badge.img+2
  • jckemv
  • Author
  • Helper I
  • January 27, 2022

Here is a tip for anyone with this problem I have learnt from another problem and community post, use the localisation tool to adjust the text in the “Recover Password” dialogue box to explain the process.

I’m adjusting the default text slightly to say that an email will only be sent to valid email addresses otherwise it will not. I’m hoping this reduces helpdesk tickets.

Gary Jarvis
Terms & ConditionsCookie settingsAccessibility statement