| It's only useless if the website reveals the username elsewhere, but that doesn't have to be the case. Consider the case when the primary usernames are always emails (many sites do this), and signing up for an account is simply done with entering an email and a password. Then, when someone submits a signup form, the website can: - Check if an account with the email exists, and if it does, whether the given password matches the existing one. - If both are valid, log the user in, optionally showing a message saying “there was already an account with these credentials so we logged you in” - If an account with the email does not exist, or if it exists and the password doesn’t match, return a message to the user saying “please check your email and follow the validation link”. The user can’t tell if the email exists or not. In the backend: - If the account did exist, send an email to the user saying “someone tried to sign up for an account with your email, please let us know if it was you. and here’s a way to reset your password if you forgot it”. - If the account did not exist, send an email verification link, which then redirects to a page to complete the user signup Same with password resets, the success message can always say "check your email". There are ways around revealing the username. But I agree, only doing this in the login page is useless. |