Another similar module you may want to try before trying this module (it has more installs, more popular):
username enumeration protection
The Forgot Password feature of core can be used to gather information such as valid usernames. Then these information may be used to perform brute force attack or account lockout attack(DoS).
This module addresses this by giving the same message for both Valid/invalid username/email Id.
Overview:
Makes password reset form more secured by not disclosing valid usernames
Installation (D9):
composer require 'drupal/secure_password_reset:^1.0@beta'
2. Go to "Administer" -> "Modules" and enable the module.
Thats all there is to it, the password reset form should now give the user the same message in both cases of valid or invalid username
Installation (D7):
1. Copy the secure_password_reset directory to the Drupal sites/<...>/modules/ directory.
2. Go to "Administer" -> "Modules" and enable the module.
Thats all there is to it, the password reset form should now give the user the same message in both cases of valid or invalid username
Project information
- Project categories: Access control
14 sites report using this module- Created by ecrown on , updated
Stable releases for this project are covered by the security advisory policy.
There are currently no supported stable releases.
Releases
8.x-1.0-rc2
released 26 March 2024
Works with Drupal: ^8 || ^9 || ^10 || ^11
Drupal 11 compatibility
Install:
Development version: 8.x-1.x-dev updated 26 Mar 2024 at 04:13 UTC
