> To prevent attackers from knowing whether an account exists or not your signup must only take an email address and provide no feedback in the UI if the sign up succeeded or not. Instead the user would receive an email saying they’re signed up. The only way an attacker would know if an account exists is if they had access to the target’s email.
> Barring that, “username or password incorrect” is just bullshit.
What he means is the only way it would make sense is if and only if a website's account registration page responding with something like:
"You tried to sign up for me@example.com. If that account didn't already exist, a registration email has been sent to it."
But nobody does that! Registration pages just say "Sorry that email is already in use", which is what makes this whole thing bullshit.
> To prevent attackers from knowing whether an account exists or not your signup must only take an email address and provide no feedback in the UI if the sign up succeeded or not. Instead the user would receive an email saying they’re signed up. The only way an attacker would know if an account exists is if they had access to the target’s email.
> Barring that, “username or password incorrect” is just bullshit.
What he means is the only way it would make sense is if and only if a website's account registration page responding with something like:
"You tried to sign up for me@example.com. If that account didn't already exist, a registration email has been sent to it."
But nobody does that! Registration pages just say "Sorry that email is already in use", which is what makes this whole thing bullshit.