
Ask HN: Is this a security concern on the Atlassian single sign-on? - gitgud
If you try to login to [1] Atlassian with an email that isn&#x27;t on their system, it will present a signup form.<p>[1] https:&#x2F;&#x2F;id.atlassian.com&#x2F;login<p>Doesn&#x27;t that mean someone could run through and check if accounts exist for certain emails, then try a bunch of commonly used passwords... or worse run through leaked email&#x2F;password combinations...
======
rosswilson
Exposing whether an account exists is a risk, but the alternative is also a
hard problem to solve. Sign In screens could throw a generic error that
doesn’t reveal whether it was the email address or password that was
incorrect, but what about registration flows?

If users can sign up and register to your system, it’s harder to offer a slick
user flow without revealing that an account already exists. One way to achieve
this is to only capture the user’s email address, send them an email, and they
complete the rest of the sign up process as a second stage. A user who already
has an account gets sent an email stating that an account already exists.

As a business I assume they’ve decided that the risk of exposing whether an
account exists was worth it in exchange for a better user experience.

~~~
gitgud
Thanks for the explanation. But I would think a generic error would be more
secure, as it reveals less information. It's also what most systems implement.

Yes, the signup flow is an important part of any system, I think an ideal
solution is make the feedback of wheather an account exists much longer. So
they need to fill in a registration form, before they get feedback on wheather
the email exists.

Anyway, in the end I guess it's a UX decision with trade-offs either way.

