| > If the username could be an email address (or the email address is a required field on signup) you don’t have to pass back a message saying that the username is already taken. You simply let them go through the flow and do verification of the email address by emailing and requiring clicking on a link, and if they are already signed up send a message saying someone tried to sign up with your email address. Sure, let's play this out. Assume for simplicity that the username / user identifier is the email address for our example. --- Someone comes to your site and tries to sign up with `foo@example.com`. The system has never seen `foo@example.com` so: The system registers `foo@example.com` in a pending state and sends an email link to `foo@example.com` saying "Please click this link to finish the signup flow". It also responds to the person signing up, saying "We've sent you an email, please click the link in your inbox to finish the signup flow". --- Someone comes to your site and tries to signup with `foo@example.com`. The system has an existing record of `foo@example.com` and the password does not match. The system sends an email to `foo@example.com` saying that someone tried to sign up a new account with the wrong password. It also responds to the person signing up, saying "We've sent you an email, please click the link in your inbox to finish the signup flow". --- For a system as described, I concede that a third party has no means of checking if an email address has already signed up, the messages they receive are indistinguishable. However, for this to work, the click-link-in-email step needs to be a synchronous part of your signup flow. I worry what this added friction does to the bounce rate. Although since I haven't measured it, maybe this worry is misplaced. And of course there's the caveat that measuring with statistically insignificant sample sizes in the early days of a product is its own can of worms. |
On the other hand, I would think that the bigger problem is people using the same password with multiple sites and the attacker is entering username/password combos as fast as they can. Joe Hacker isn't probably going to look at your Facebook page for where you went to school, what your dog's name is, etc. Unless they're after you specifically.