This is my password forgot SC flow.
What am I doing?
Nobody wants to give it a shot?
Am I really that psycho?
You’re confusing me Jon, have you been eating the special mushrooms??
I am interested in your ‘Email template’ action step though 
what’s that!?
Oh and you’re validating the email twice? Is that what you’re getting at?
Maybe…
Nope.
Creating a token, sending it via email so the recipient can then reset their password?
That’s part of the flow, but not what makes me a psycho.
You make the user wait 200 seconds if the user doesn’t exist?
It’s 200 milliseconds, isn’t it?
That’s the bit I’m slightly puzzled over as it’s not really enough to notice.
Yes. Milliseconds. But why?
Will this loop?
Is this another one of your slang expressions? 
Will it wait?
2 Likes
Hahaha! What data is stored in the fakevars? If this is stored and repeats the short response on the wait will essentially repeat every 200 milliseconds? Like me waiting for coffee!
Hahaha no. Fakevars is disabled.
No tricks. Just hard to guess.
Essentially I haven’t got a clue!
Essentially I haven’t got a clue!
Essentially I haven’t got a clue!
Essentially I haven’t got a clue!
…
You guys should have asked politely.
I’ll give you guys a clue.
You should never give someone with malicious intent more information than they need.
Are you trying to imply something is happening in the background when someone has failed to pass security?
Will clear the db query (status returned) within 200ms if the data is not valid? Nah, no idea at all, but intriguing… The Psycho part about it, no idea! Need to look it up on JonLOverflow!
My brain overflowed just before I decided to put the wait there.
1 Like
I think this is it, to give the attacker the idea the database is big (implying a loop through the database)
1 Like
Very close! I would even say you said it with other words.
I’ll give as correct.
Unless there is an unhandled error on the server the response will always be “200 Success”. This is to avoid anyone with malicious intent to brute-force if an email exists in my database of users.
On the frontend there is a message/toast/notification that will always inform the user with something like: “If the account exists you will receive an email with further instructions”.
But there was still a weakness to this. The time taken by the form call.
If the email exists it will take some actions and this will increase the response time, but if the email doesn’t exist it will be almost immediate.
The wait delay is to add response time so it’s on par with the response time when there is an email.
6 Likes