From the error page design rules 101 , we should only tell the audience general error information instead of the detailed information which will tell something to hacks about your system.
Now it’s holiday season, I get a chance to visit several E-commerce sites which I didn’t visit very often. then for some site, I forgot the password, luckily, every site has the password reset options. unfortunately, 7 of 10 sites didn’t secure the user information correctly. I will give some examples. good and bad ones.
my of my favorite sites, HpShopping.com. when you input an email address , It will tell you immediately whether that email is a HPshooping customer or not. this process is not protected by any sort of CAPTCHA authentication , AND could be scripted as part of the spam campaign or targeted fishing. idea is very simple, go through the email db which has a lot junk addresses, and filter out those valid HPshooping customers, then send targeted fishing email.
bad example, HP shooping.
same thing for buy.com
staples.com, no luck,
Some good example.
Apple.com. when you input an email address whether it’s valid customer or not, just tell you a general information. it it’s true, you will the password reset notification.
that’s sweet design. from the perspective of security, it’s secure. for user convenience. secure too. no extra steps required.
Also some good examples, that might cause some inconvenience which need extract step to identity and key in the CAPTCHA code.
Amazon.com, for regular good user, they know whether the account is good or not immediately, but have to pass the CAPTCHA test. However, it’s SECURE.
Newegg has the similar approach. it combined Amazon and Apple design, which is the most secure one. It requires CAPTCHA and tells only general information.