[slhck]

The author suggests stripping the part before doing the uniqueness check. This does not mean that the username (email address in this case) would not be allowed.

[bdhess]

It would for the second user whose address resolves to the same result from the “uniqueness” check.

[coredog64]

I wish this would happen. There's a "rocket surgeon" on the East Coast who has (tried) to sign up for Facebook, Twitter, Steam, and a bunch of sleazy 'message gurlz now' apps using my Gmail address without the period.

Obviously it never works, as I get the "I see you're trying to create a new account" email, but one of these days he's going to figure out a way to take over one of those accounts and then I'll really be fked.

[bdhess]

I don’t understand your complaint. Google resolves the addresses john.smith@gmail.com and johnsmith@gmail.com to the same account, which you control.

(1.) What are you imagining is the attack vector exactly?

(2.) Are you asserting that all website owners should build to Google’s (non-standard) behavior?

[reaperducer]

I have a similar problem with someone who keeps (hopefully accidentally) putting my landline number into Facebook, then I get a call with a recording asking me to press some number to verify my Facebook account.

[joshmanders]

I'm curious as to who would use a service someone else is using, sharing their email but with a local addition?

Can me and my wife both sign up to HN and use my email but hers be josh+swife@joshmanders.com and mine be josh@joshmanders.com?

That's a strange usecase, isn't it?

[pinkythepig]

gmail makes josh@... and josh+swife@... resolve to the same thing, but there is no guarantee that all other email services behave like that. For all you know, there is an email service that lets you register an email like that, so you have 2 users now whose email is: john+smith@... and john+brown@...