Another similar module you may want to try before trying this module (it has more installs, more popular):
username enumeration protection
The Forgot Password feature of core can be used to gather information such as valid usernames. Then these information may be used to perform brute force attack or account lockout attack(DoS).
This module addresses this by giving the same message for both Valid/invalid username/email Id.
Overview:
Makes password reset form more secured by not disclosing valid usernames
Installation (D9):
composer require 'drupal/secure_password_reset:^1.0@beta'
2. Go to "Administer" -> "Modules" and enable the module.
Thats all there is to it, the password reset form should now give the user the same message in both cases of valid or invalid username
Installation (D7):
1. Copy the secure_password_reset directory to the Drupal sites/<...>/modules/ directory.
2. Go to "Administer" -> "Modules" and enable the module.
Thats all there is to it, the password reset form should now give the user the same message in both cases of valid or invalid username
Project information
- Module categories: Access Control
- 22 sites report using this module
- Created by ecrown on , updated
- Stable releases for this project are covered by the security advisory policy.
Look for the shield icon below.
Releases
Drupal 11 compatibility
Development version: 8.x-1.x-dev updated 26 Mar 2024 at 04:13 UTC
Development version: 7.x-1.x-dev updated 29 Jun 2017 at 19:09 UTC