A better password recovery and error handling?
News and General
When using the password form tag “{exp:member:forgot_password_form}” if a user enters an email that is not in the database, expression engine outputs the following:
'forgotten_email_sent' => 'If this email address is associated with an account, instructions for resetting your password have just been emailed to you.',Is there a way to have a custom message out saying the email is not recognized? The ‘{errors}’ is not doing anything and I am not able to find a discussion on this anywhere.
There isn’t currently a way to modify this without changing the core code.
This is actually done for security purposes. If we return a message stating the email is not recognized, that gives hackers a way to verify that an email exists in the system. If they keep trying different emails and eventually don’t get that message, they know an account exists with that email and they’re able to try brute forcing the password for it.
Jace, thank you for your helpful response. Makes sense and we’ll keep it as is. For other times, I am wondering if at anytime any of the system messages could be customized without changing the core code?