[tolmasky]

You can use the same strategy there too: in the signup page, it can just say "a confirmation email has been sent to your email". In the event that the email is already known, the email will say "someone else has tried to sign up with your email -- if this was you click here to change your password". This way, the attacker will never know if the email genuinely resulted in a new account or not.

[MarkMc]

Interesting. So we have a clear-cut case of having to choose between (a) more security; or (b) a simpler sign-up process which means more revenue.

It seems to me that choice (a) will not always be the right one - it depends on how much security would improve and how much revenue will be lost. If you find the previous HN article on this topic that you mentioned I'd be curious to read it.

[josephlord]

This works with emails as usernames but not with non-email usernames.

You might say this is a good reason for only allowing email addresses as login names and that could be right although you need to think carefully about how to handle people who have lost access to their email address and in many contexts they may also need to choose a displayname.

[papsosouid]

And you have absolutely terrible usability and tons of people fail to go through the signup process. So you gained imaginary security that doesn't actually do anything, and lost users. For most sites, that isn't a good tradeoff. I don't care if everyone knows I have a mailchimp account. How is it a security concern that people can find that out? If you are running some kind of freaky porn site it matters, but for 90% of sites it doesn't.

[tolmasky]

What is the issue with email verification for SIGNUP? This is pretty standard practice as it is. Eventually you need to contact the user, so better to make sure the email is correct from the beginning. If not, I could for example sign up for mail chimp with your email then proceed to send a bunch of people lude spam, leading to mail chimp then sending you angry emails. Even if they use it appropriately, if you later ever want a mail chimp account it will tell you you already have one, leading to true confusion.

[papsosouid]

There is nothing wrong with email verification. There is something wrong with hiding what is going on from the user. If you try to "secure" your site from people finding out if a particular email is registered, you end up with a massive increase in login failures, which was the point being made. You also make it so that when I say "I forgot my password" and fill in the wrong email address, I am sitting and waiting for a password reset email that never comes. Every portion of the account handling process is made significantly worse by trying to hide account info, and there is absolutely no benefit to doing so.