[yahelc]

Amen. The clarified login error message finding is way more interesting than the vague platitudes on branding and security.

No one will get rid of their social buttons solely on the basis of this post, but hopefully many people will now work on improving their error messages after reading this.

[zmmmmm]

> The clarified login error message finding is way more interesting than the vague platitudes on branding and security

The part about security isn't platitudes. Not displaying informative messages in response to failed logins is a security orthodoxy, something you are almost always told is a compulsary practise if you care about security. So a very key part of the story here is that they abandoned this standard security practise as a tradeoff in favor of usability. Whether this ever bites them or to what extent is something we may never know the answer to. So we have been told the good outcome of their tradeoff and not the bad side. It sounds to me like it was worth it, but I wouldn't like every web service to jump on this uncritically.

[yahelc]

Sorry, I meant the security of relying on the services in general, not of exposing that someone has an account with you. Obviously, that's a serious security consideration, and each service should weigh the costs and the benefits.

In this case, it seems like they are already exposing it with the account checker, so making this change didn't open up any new vulnerabilities.