[tolmasky]

I think telling people that just their password was wrong was a bad move. The author argues that this is not a security risk because the "username reminder form already tells you if a username exists". However, this simply displays a further security issue. I don't have the link handy, but there was just a (really good) article the other day here on Hacker News about why you should not reveal whether the email address is necessarily associated with a username or password in these kinds of forms (always just give the same generic "we will send it if it exists" message).

[ProblemFactory]

Yes, both of these UI features would reveal the fact that this username or email already exists.

But isn't it impossible not to reveal it on the signup page anyway? You want users to have unique usernames (or emails acting as usernames), therefore the signup form has to tell them if it has been already taken.

My suggestion would be to tell users if the username or email is unknown right away - and perhaps add a captcha if they are trying out too many different usernames.

[tolmasky]

You can use the same strategy there too: in the signup page, it can just say "a confirmation email has been sent to your email". In the event that the email is already known, the email will say "someone else has tried to sign up with your email -- if this was you click here to change your password". This way, the attacker will never know if the email genuinely resulted in a new account or not.

[MarkMc]

Interesting. So we have a clear-cut case of having to choose between (a) more security; or (b) a simpler sign-up process which means more revenue.

It seems to me that choice (a) will not always be the right one - it depends on how much security would improve and how much revenue will be lost. If you find the previous HN article on this topic that you mentioned I'd be curious to read it.

[josephlord]

This works with emails as usernames but not with non-email usernames.

You might say this is a good reason for only allowing email addresses as login names and that could be right although you need to think carefully about how to handle people who have lost access to their email address and in many contexts they may also need to choose a displayname.

[papsosouid]

And you have absolutely terrible usability and tons of people fail to go through the signup process. So you gained imaginary security that doesn't actually do anything, and lost users. For most sites, that isn't a good tradeoff. I don't care if everyone knows I have a mailchimp account. How is it a security concern that people can find that out? If you are running some kind of freaky porn site it matters, but for 90% of sites it doesn't.

[tolmasky]

What is the issue with email verification for SIGNUP? This is pretty standard practice as it is. Eventually you need to contact the user, so better to make sure the email is correct from the beginning. If not, I could for example sign up for mail chimp with your email then proceed to send a bunch of people lude spam, leading to mail chimp then sending you angry emails. Even if they use it appropriately, if you later ever want a mail chimp account it will tell you you already have one, leading to true confusion.

[papsosouid]

There is nothing wrong with email verification. There is something wrong with hiding what is going on from the user. If you try to "secure" your site from people finding out if a particular email is registered, you end up with a massive increase in login failures, which was the point being made. You also make it so that when I say "I forgot my password" and fill in the wrong email address, I am sitting and waiting for a password reset email that never comes. Every portion of the account handling process is made significantly worse by trying to hide account info, and there is absolutely no benefit to doing so.