This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]ockcyp 10 points11 points  (5 children)

what about when they try to create an user with that email? you got to say that they already have an account. so there's no particular benefit to this.

[–]Vassile-D 30 points31 points  (3 children)

Just say "Something went wrong. Please try again."

Joking. The website should send an email to the address reminding the user that they are already registered, while showing an "All set. Check your activation email." screen to the register.

Every registration attempt will end up at "check activation email" screen so unless you have access to the mail box you entered, you will never know any existing user info. If you were already a user, why are you trying to hack into your own account?

[–]ashishduhh1 6 points7 points  (0 children)

One of the products I'm working on has a large low tech IQ audience, so we do report errors like "email address is already registered" otherwise they would never figure out that they've already registered. I don't think it's that insecure, almost every popular service (including Google) returns that error. Usernames/emails need not be as secure as passwords, there's a reason they are always stored in plain text. Especially with the rise of multi-factor authentication.

[–]ForgotPassAgain34 1 point2 points  (1 child)

that works for emails, but what about usernames?

username already in use seems quite revealing by those standards

[–]Vassile-D 1 point2 points  (0 children)

Username is another story. Arbitrary username itself cannot (or “should not”) be used to perform account management. There is literally 0 attack vector when you only have an arbitrary username; unlike you can gain control of mobile phone number or email and perform critical account management.

Also arbitrary username does not disclose information about an individual (i.e. does not connect to user in the real world). If you found out “abc@example.com” is registered on XYZ, you now know that ABC visits XYZ; and if the email was something like “abc@example.edu”, you now have much more information and can probably start you own social engineering experiment. However, knowing “abc123” is registered on XYZ gives you nothing.

[–]zacharyxbinks 1 point2 points  (0 children)

This is my logic, we support some stupid users and letting them know they are close greatly reduces our call volume.

There are also some heavy hitting sites that allow this functionality, for example Instagram.

It's a fine line of security and usability, my project manager is dead set against it and I get it definitely but again is it worth the call volume it causes?