|
|
|
|
|
|
by jkire
3100 days ago
|
|
|
Isn't the other reason so that adversaries can't tell if a particular username/email has signed up? This is not so useful for something like github, sure, but certainly is useful for the more embarrassing sites where users have an expectation the site won't leak their membership. So in some ways I've always thought of this as a privacy concern rather than a security one? Edit: I guess I'm thinking purely of emails where you don't get availability checkers during sign up. |
|
|
Few sites remember to anonymize that, which might be the real PSA: in such a case, if you require an email confirmation anyway, just send the "recover password" email internally, but let it look like the regular sign-up flow.
If you don't requite email confirmation, anonymous membership isn't possible (just try to sign up with that account, what is the site supposed to do that looks legit without giving away information?)