Hacker News new | past | comments | ask | show | jobs | submit login

Agreed. I actually just fought and won this battle at work. If you don't want to expose the specific error when logging in, you must either not leak usernames/emails through the signup process either. Otherwise, it's just security theater.

Yes, and it is very hard to show a generic error during sign up.

"There is an error with your data..." WHAT ERROR? I've typed 10 fields.

I think a better approach is to rate limit wrong usernames / emails during sign in.

It's not a difficult problem to solve. Just let the sign-up succeed whether an account already exists for the email or not. Then say "You will receive an email with instructions to complete your registration".

If there was no existing account, send an email with the text: "An account was created for this email address at Example.com. If you requested this account, you may activate it by clicking here: https://..."

If there was an existing account, send: "An attempt was made to create a new account at Example.com for this email address, but you already have an account. If you have forgotten your password, visit https://..."

Yes, this was the alternative we discussed. We opted to go with the simpler (and very common) signup process, which does admittedly leak some information.

That works for sign-up, but not for the far more common case of sign-in.

If you use this approach, the idea is then that you use a generic login failure message. This prevents leaking of any account information, but provides a different (poorer, IMO) user experience.

This is exactly the approach we took.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact