Clearer messaging when an invalid barcode is used in a password reset
A patron was using their former barcode to try to do a password reset, and before we realized what the issue was, the system told them they 'had no email address' associated with that account. It would be more helpful if the system told them the barcode was invalid or, even better, that they were using an old barcode.
Margaret Rose O'Keefe
shared this idea
-
Wes Osborn
commented
I imagine this was set up as a generic message because it would otherwise "leak" information as to if this was a valid barcode making it easier to compromise an account. See this Open Worldwide Application Security Project guidelines for their recommendations: https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#authentication-and-error-messages
-
Emma Olmstead-Rumsey
commented
Yes, please! Something like "barcode not found" would be much more helpful.