[PR #1848] [MERGED] Password hint enhancements #3017

New issue

Closed

opened 2026-03-03 09:09:22 +03:00 by kerem · 0 comments

kerem commented

2026-03-03 09:09:22 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/dani-garcia/vaultwarden/pull/1848
Author: @jjlin
Created: 7/10/2021
Status: ✅ Merged
Merged: 7/15/2021
Merged by: @dani-garcia

Base: main ← Head: password-hints

📝 Commits (2)

8ee5d51 Disable show_password_hint by default
88bea44 Prevent user enumeration via password hints

📊 Changes

3 files changed (+43 additions, -19 deletions)

View changed files

📝 .env.template (+4 -2)
📝 src/api/core/accounts.rs (+35 -14)
📝 src/config.rs (+4 -3)

📄 Description

Disable show_password_hint by default.

A setting that provides unauthenticated access to potentially sensitive data shouldn't be enabled by default.
Prevent user enumeration via password hints

When show_password_hint is enabled but mail is not configured, the previous implementation returned a differentiable response for non-existent email addresses.

Even if mail is enabled, there is a timing side channel since mail is sent synchronously. Add a randomized sleep to mitigate this somewhat.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/dani-garcia/vaultwarden/pull/1848 **Author:** [@jjlin](https://github.com/jjlin) **Created:** 7/10/2021 **Status:** ✅ Merged **Merged:** 7/15/2021 **Merged by:** [@dani-garcia](https://github.com/dani-garcia) **Base:** `main` ← **Head:** `password-hints` --- ### 📝 Commits (2) - [`8ee5d51`](https://github.com/dani-garcia/vaultwarden/commit/8ee5d51bd47279d5b23c409744fab6614af0e918) Disable `show_password_hint` by default - [`88bea44`](https://github.com/dani-garcia/vaultwarden/commit/88bea44dd81c6fc9755d42d9bee2533db8765c2a) Prevent user enumeration via password hints ### 📊 Changes **3 files changed** (+43 additions, -19 deletions) <details> <summary>View changed files</summary> 📝 `.env.template` (+4 -2) 📝 `src/api/core/accounts.rs` (+35 -14) 📝 `src/config.rs` (+4 -3) </details> ### 📄 Description * Disable `show_password_hint` by default. A setting that provides unauthenticated access to potentially sensitive data shouldn't be enabled by default. * Prevent user enumeration via password hints When `show_password_hint` is enabled but mail is not configured, the previous implementation returned a differentiable response for non-existent email addresses. Even if mail is enabled, there is a timing side channel since mail is sent synchronously. Add a randomized sleep to mitigate this somewhat. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>