[sitepodmatt]

"Sorry, we don't recognize this email id."

This doesn't sound good. Should you not be doing 'If we recognize this email we will send you a verification code' with a timing randomization / delay if you're doing anything on the request pipeline such as the SMTP send.

[highace]

No, this is fine. If anyone malicious wanted to find out if an email address is registered they could simply try to create a new account using it.

[sitepodmatt]

No, I don't think it is fine. But I do take your point that most signup flows would have this information leak too, and probably with less effect - i.e. target wouldn't get a password reset email. The information leak as a whole though does probably mandates better patterns. I can see it being used by gray hat competitors - 'Hey before you offer X pricing check if he's already a customer of Y and so on'.

Weekend project: Scrap HN for emails, run them through redtube which also has this information leak (someone told me), publish them, charge $5 per deletion. (Not serious, but hey feasible right)

[akashindya]

Hi, Both the approaches are correct. However, first one is more helpful to registered users who want to reset their password. Sometimes, they forget the email id they registered their account with and the "Sorry" message helps them think harder and try alternative email addresses.

In the latter, they will wait for the code for a minute or two and then realise they entered an in-correct email id.

[codegladiator]

first one is more helpful to hackers who want to figure out which accounts are registered on your site, and then later proceed with a brute force / social attack.

[bpicolo]

Malicious users can always check that via the signup flow anyway.