How to prevent user enumeration attacks through the Forgot Password functionality


Insecure default configuration may allow remote attackers to enumerate users' email addresses via the forgot password functionality. This can be a risk in the case of public-facing deployments.


  • Liferay DXP 6.2 EE
  • Liferay DXP 7.0-7.2


It is recommended to set the portal property to true in your

On the specified product versions, this property defaults to "false":

# Set this to true to prevent attempts to enumerate the portal's users via
# the forgot password feature. This feature will no longer show an error
# that would reveal a user's existence.

To avoid causing unwanted behavior change in existing deployments, Liferay will not change this default setting in a Fix Pack/Service Pack.

Long Term Resolution

In Liferay DXP 7.3 this property defaults to "true".

Was this article helpful?
0 out of 0 found this helpful