[facorreia]

Whatever you do, DON'T follow this advice. It's utterly wrong.

Here's the professional way to do this:

"An application should respond with a generic error message regardless of whether the user ID or password was incorrect. It should also give no indication to the status of an existing account."

https://www.owasp.org/index.php/Authentication_Cheat_Sheet

[VeejayRampay]

I second that. It's preferable to not give any indication about which emails are or are not stored in your database.

[onion2k]

Bare in mind that particular advice is from a group expressly interested in security. The article is talking about usability. There is often a balance to be struck.

[leigh_t]

There is a balance, and it swings heavily in the direction of never ever ever compromising security.

[onion2k]

Your reply made me smile. You're quite right, but only up to a point. An emphasis on security that compromises usability can backfire and start to make things less secure.

For example, enforcing a 32 character passphrase with at least 1 non-alphanumeric character would be incredibly secure, but users will start writing down their password on post-its near their terminals, and suddenly all that 'security' evaporates because you've introduced an artificial weak link.

In a small way better usability enhances security by making the user less likely to get things wrong.

[firephreek]

Compromising the lock is different than choosing the type of lock.