[savolai]

It can indeed be incredibly confusing for users if that is not disclosed, bordering on hostile.

It is a common pattern to reregister i.e. when in a hurry so you end up with multiple ids. If you also have userids in addition to email addresses, it can easily become a hard problem in itself to solve/remember which email/pw corresponds to which userid. Obfuscating user/password error messages can make this much worse.

Techies often forget what a messy world non-engineers live in.

Isn’t NOT disclosing that security by obscurity?

[SketchySeaBeast]

It makes it so much easier for attackers - they then can know that a user has an account there too, and can then use that information to find that user's other known passwords. It's offering up information the attacker might not have.

[wongarsu]

Most applications end up disclosing that anyways either by a success message in the password reset flow, or a "email already in use" message in the registration flow. Obscuring who has an account is a major commitment for the design of any unauthenticated api, one that's both difficult and often user-hostile. And if you trip up once you have a worst-of-both-worlds where you've both made your website worse for your users and attackers can still easily check if someone is a user.

Wordpress takes almost the opposite approach: They consider the fact that you are an author on a page public information. There is even the /wp-json/wp/v2/users api to enumerate them At least they don't show email addresses, but you can also login with the username. ([1],[2] for examples in the wild).

Of course as a wordpress admin you can decide differently: extensibility is one of the core pillars of wordpress. Security arguably is placed behind extensibility and user-friendliness.

1: https://quebec.ubisoft.com/en/wp-json/wp/v2/users

2: https://www.rollingstone.com/wp-json/wp/v2/users

[throwaway2016a]

While I agree it's not really security through obscurity because when combined with other strategies (like mitigating timing attacks and rate limiting) it does expose less information to the attacker.

However, I stand that it does depend on the application. For example: Facebook does not use generic error messages. I presume because there are other trivial ways to find out if a user has an account so mitigating enumeration through the login form is not actually adding extra security.

[exe34]

all it has to say is "if you have an account with us, check your email address you just used"